Signals Reference

This reference documents all available signals that can be used in rule conditions. Each signal represents data collected during domain analysis and can be used to detect suspicious patterns.

Core Domain Information

permutation · string
Domain permutation
Example: "shopfacebook.com", "facebook-login.com"

kind · string
Permutation kind
Example: "typosquatting", "combosquatting"

created_on · date
Timestamp when the lookup result was created
Example: "2026-01-14T18:53:57.917845Z" (RFC3339)

levenshtein_distance · number
Edit distance from original domain
Example: 4, 6, 8

tags · array<string>
Tags associated with the lookup result
Example: ["high-priority", "investigate"]

DNS Resolution Data

dns_a · array<inet>
DNS A records (IPv4)
Example: ["31.13.66.4"]

dns_aaaa · array<inet>
DNS AAAA records (IPv6)
Example: ["2a03:2880:f003:c07:face:b00c:0:2"]

dns_mx · array<string>
DNS MX records
Example: ["smtpin.vvv.facebook.com."]

dns_ns · array<string>
DNS NS records
Example: ["a.ns.facebook.com.", "b.ns.facebook.com."]

dns_cname · array<string>
DNS CNAME records
Example: ["target.domain.com."]

dns_txt · array<string>
DNS TXT records
Example: ["v=spf1 -all", "google-site-verification=..."]

dns_caa · array<string>
DNS CAA records (certificate authority authorization)
Example: ["0 issue \"letsencrypt.org\"", "0 iodef \"mailto:security@example.com\""]

dns_tlsa · array<string>
DNS TLSA records (DANE/TLSA authentication)
Example: ["3 1 1 2A5B..."]

dns_srv · array<string>
DNS SRV records (service locator)
Example: ["10 5 443 sipdir.online.example.com."]

dns_naptr · array<string>
DNS NAPTR records (naming authority pointer)
Example: ["100 10 \"U\" \"E2U+sip\" \"!^.*$!sip:info@example.com!\" ."]

dns_ptr · array<string>
DNS PTR records (reverse DNS)
Example: ["ptr.example.com."]

dns_dnskey · array<string>
DNS DNSKEY records (DNSSEC public keys)
Example: ["257 3 13 AwEAA..."]

dns_ds · array<string>
DNS DS records (DNSSEC delegation signer)
Example: ["2371 13 2 6B6F..."]

Server and Infrastructure

smtp · string
SMTP banner
Example: "220 mx.example.com ESMTP ready"

http_banner · string
HTTP server banner
Example: "nginx/1.18.0", "cloudflare"

Geolocation and Network

geolocation.asn.number · number
ASN number
Example: 32934, 13335, 16509

geolocation.asn.name · string
ASN name
Example: "FACEBOOK", "CLOUDFLARENET"

geolocation.country · string
Country code
Example: "US", "CA", "GB"

geolocation.continent · string
Continent code
Example: "NA", "EU", "AS"

Classification Scores

classification.phishing · number
Phishing classification score (0-1)
Example: 0.01, 0.85, 0.95

classification.malware · number
Malware classification score (0-1)
Example: 0.01, 0.85, 0.95

classification.impersonation · number
Impersonation classification score (0-1)
Example: 0.01, 0.85, 0.95

Domain Registration

whois · string
WHOIS lookup data
Example: Raw WHOIS response text

Registration Metadata Fields

registration_metadata.registrar · string
Domain registrar name
Example: "RegistrarSafe, LLC", "GoDaddy.com, LLC"

registration_metadata.registrar_iana_id · string
Domain registrar IANA identifier
Example: "292", "146"

registration_metadata.registration_date · date
Domain registration date
Example: "1997-03-29T05:00:00Z" (RFC3339)

registration_metadata.expiration_date · date
Domain expiration date
Example: "2034-03-30T04:00:00Z" (RFC3339)

registration_metadata.updated_on · date
Last updated timestamp
Example: "2024-12-01T00:00:00Z" (RFC3339)

registration_metadata.registrar_abuse_contact · string
Registrar abuse contact
Example: "abuse@example-registrar.com"

registration_metadata.status_codes · string
Domain status codes (JSON array)
Example: ["clientTransferProhibited", "ok"]

registration_metadata.url · string
RDAP/WHOIS server URL
Example: "https://rdap.example.com"

registration_metadata.server · string
RDAP/WHOIS server hostname
Example: "whois.example.com"

registration_metadata.nameservers · string
Nameserver value (matches any)
Example: "ns1.example.com"

registration_metadata.dnssec_status · string
DNSSEC status
Example: "Signed", "Unsigned"

registration_metadata.delegation_signer · string
DNSSEC delegation signer record (matches any)
Example: "2371 13 2 6B6F..."

registration_metadata.privacy_proxy · string
Heuristic privacy proxy indicator
Example: "Domains By Proxy"

registration_metadata.icann_complaint_link · string
ICANN complaint link
Example: "https://www.icann.org/..."

registration_metadata.reseller · string
Reseller information
Example: "Example Reseller"

Technologies and Content

technologies · array<string>
Technologies detected on the domain
Example: ["HSTS", "HTTP/3"], ["Cloudflare", "HTTP/3"]

Web Enrichment

favicon.url · string
Source URL of the favicon used for fingerprinting
Example: "https://example.com/favicon.ico"

favicon.content_type · string
Content type reported for the favicon asset
Example: "image/png", "image/jpeg"

favicon.sha256 · string
SHA-256 hash of the favicon asset
Example: "18617a981991607982022c0a36a9c958935e4e614e5343f9f1b528844d939aed"

favicon.dhash · string
Perceptual dHash of the favicon asset
Example: "3070f0e0e0c08e8e"

sitemap.url · string
Crawled page URL (matches any entry)
Example: "https://microboft.com/privacy"

sitemap.title · string
Crawled page title (matches any entry)
Example: "Microboft: Passion for Aircraft and Aerospace - Berlin"

sitemap.status_code · number
HTTP status code observed during crawl (matches any entry)
Example: 200, 301, 403

sitemap.depth · number
Discovery depth of a crawled page (matches any entry)
Example: 0, 1, 2

sitemap.parent_url · string
Parent URL that linked to a crawled page (matches any entry)
Example: "https://example.com"

sitemap.entry_count · number
Number of pages discovered during crawl
Example: 1, 3, 12

sitemap.broken_link.kind · string
Broken link classification (matches any link)
Example: "placeholder_anchor", "http_error"

sitemap.broken_link.page_url · string
Page URL where a broken link was observed (matches any link)
Example: "https://microboft.com"

sitemap.broken_link.target_url · string
Target URL of a broken link, when available (matches any link)
Example: "https://twitter.com/"

sitemap.broken_link.link_text · string
Visible text of a broken link, when available (matches any link)
Example: "X", "Continue"

sitemap.broken_link.status_code · number
HTTP status code returned for a broken link, when available (matches any link)
Example: 403, 404, 521

sitemap.broken_link_count · number
Number of broken links observed during crawl
Example: 0, 2, 8

sitemap.external_link.target_host · string
External navigation target host observed during crawl (matches any link)
Example: "facebook.com", "www.spaceship.com"

sitemap.external_link.target_url · string
External navigation target URL observed during crawl (matches any link)
Example: "https://facebook.com/"

sitemap.external_link.link_text · string
Visible text of an external navigation link (matches any link)
Example: "Facebook", "Continue"

sitemap.external_link.source_host · string
Source host for an external navigation link (matches any link)
Example: "microboft.com"

sitemap.external_link_count · number
Number of external navigation links observed during crawl
Example: 0, 2, 7

business_intel.company_names · string
Company name extracted from crawled pages (matches any value)
Example: "Spaceship.com", "Planetpc"

business_intel.phone_numbers · string
Phone number extracted from crawled pages (matches any value)
Example: "(555) 123-4567", "2462087804"

business_intel.addresses · string
Address extracted from crawled pages (matches any value)
Example: "4600 East Washington Street, Suite 305, Phoenix, AZ 85034, USA"

business_intel.source_urls · string
Source URL used for business information extraction (matches any value)
Example: "https://microboft.com/legal-notice"

business_intel.company_name_count · number
Number of extracted company names
Example: 0, 1, 3

business_intel.phone_number_count · number
Number of extracted phone numbers
Example: 0, 1, 2

business_intel.address_count · number
Number of extracted addresses
Example: 0, 1, 4

business_intel.source_url_count · number
Number of source URLs used for business information extraction
Example: 1, 2, 5

TLS Certificate Data

origin_x509.subject_dn · string
Certificate subject distinguished name
Example: "CN=*.example.com,O=Example Corp,C=US"

origin_x509.issuer_dn · string
Certificate issuer distinguished name
Example: "CN=Example Issuing CA,O=Example CA,C=US"

origin_x509.fingerprint_sha256 · string
Certificate fingerprint (SHA-256)
Example: "f3c1...9a2e"

origin_x509.serial · string
Certificate serial number
Example: "04:3A:..."

origin_x509.not_before · number
Certificate valid from (Unix timestamp)
Example: 1735689600

origin_x509.not_after · number
Certificate valid until (Unix timestamp)
Example: 1767225600

origin_x509.san_dns · string
Certificate Subject Alternative Name DNS entry (matches any)
Example: "*.example.com", "example.com"

origin_x509.san_dns_count · number
Number of DNS entries in certificate Subject Alternative Names
Example: 2, 5, 100

origin_x509.san_ip · array<inet>
Certificate Subject Alternative Name IP entries
Example: ["192.0.2.1", "2001:db8::1"]

origin_x509.is_ca · boolean
Whether the certificate is a Certificate Authority
Example: true, false

origin_x509.ttl_days · number
Certificate TTL in days
Example: 30, 90, 398

origin_x509.key_alg · string
Certificate public key algorithm
Example: "RSA", "ECDSA"

origin_x509.key_size_bits · number
Certificate public key size in bits
Example: 2048, 256

origin_x509.sig_alg_oid · string
Certificate signature algorithm OID
Example: "1.2.840.113549.1.1.11"

origin_x509.path_len · number
Certificate path length constraint
Example: 0, 1, 3

origin_x509.policy_oids · string
Certificate policy OID (matches any)
Example: "2.23.140.1.2.1"

origin_x509.ocsp_uris · string
Certificate OCSP URI (matches any)
Example: "http://ocsp.example.com"

origin_x509.crl_dp · string
Certificate CRL distribution point (matches any)
Example: "http://crl.example.com/..."

Redirect Chain

redirect_chain.url · string
Redirect URL (matches any hop)
Example: "https://example.com/login"

redirect_chain.status · number
Redirect HTTP status code (matches any hop)
Example: 301, 302, 307

redirect_chain.kind · string
Redirect kind (matches any hop)
Example: "InitialRequest", "Http", "Javascript", "Client"

redirect_chain.certificate.subject_name · string
Redirect certificate subject common name (matches any hop)
Example: "example.com"

redirect_chain.certificate.issuer · string
Redirect certificate issuer (matches any hop)
Example: "Let's Encrypt"

Certificate Transparency

certificate_transparency.name · string
Domain name found in Certificate Transparency logs
Example: "example.com", "*.example.com"

certificate_transparency.is_precert · boolean
Whether the CT entry is a precertificate
Example: true, false

certificate_transparency.log_id · number
Certificate Transparency log identifier
Example: 1, 5, 42

certificate_transparency.index · number
Certificate Transparency index within the log
Example: 1234, 987654

certificate_transparency.occurrences_count · number
Number of occurrences in Certificate Transparency logs
Example: 1, 5, 10

certificate_transparency.last_seen_ts · number
Last seen timestamp in Certificate Transparency logs (Unix timestamp)
Example: 1704067200, 1735689600

certificate_transparency.labels.tld · string
Top-level domain label
Example: "com", "net"

certificate_transparency.labels.etld1 · string
Effective TLD+1
Example: "example.com"

certificate_transparency.labels.domain · string
Domain label
Example: "example"

certificate_transparency.labels.registrable_domain · string
Registrable domain (if available)
Example: "example.com"

certificate_transparency.labels.subdomain · string
Subdomain label (if available)
Example: "login"

Passive DNS

passive_dns.rrtype · string
Passive DNS record type (matches any record)
Example: "A", "AAAA", "CNAME"

passive_dns.rrname · string
Passive DNS rrname (matches any record)
Example: "example.com"

passive_dns.rdata · string
Passive DNS rdata value (matches any record)
Example: "203.0.113.10"

passive_dns.time_first · number
Passive DNS first seen timestamp (Unix timestamp, matches any record)
Example: 1704067200

passive_dns.time_last · number
Passive DNS last seen timestamp (Unix timestamp, matches any record)
Example: 1735689600

passive_dns.count · number
Passive DNS observation count (matches any record)
Example: 1, 25, 1000

Port Scan

ports.port · number
Open port observed during network scan (matches any finding)
Example: 80, 443, 993

ports.address · string
IP address associated with an open port finding (matches any finding)
Example: "162.0.232.126", "44.232.173.249"

ports.finding_count · number
Number of open port findings observed during scan
Example: 2, 4, 7

ports.unique_port_count · number
Number of distinct open ports observed during scan
Example: 2, 4, 7

ports.unique_address_count · number
Number of distinct IP addresses with open port findings
Example: 1, 2, 3

Field Availability

Always Available

permutation
levenshtein_distance

Conditional Availability

DNS fields (dns_*): Available when domain resolves
Web fields (http_banner, technologies): Available when web services respond
Web enrichment fields (favicon.*, sitemap.*, business_intel.*): Available when crawl and favicon enrichment succeed
Certificate fields (origin_x509.*): Available when HTTPS is configured
Redirect fields (redirect_chain.*): Available when redirects are captured
Certificate Transparency fields (certificate_transparency.*): Available when domain appears in CT logs
Passive DNS fields (passive_dns.*): Available when passive DNS enrichment is present
Registration fields (whois, registration_metadata.*): Available when registration data is accessible
Geolocation fields (geolocation.*): Available when IP resolution succeeds
Port fields (ports.*): Available when port scan enrichment is enabled and completes