Signals Reference

This reference documents all available signals that can be used in rule conditions. Each signal represents data collected during domain analysis and can be used to detect suspicious patterns.

Note

These are the exact field names and types available in the rule builder interface. For rule creation guidance and examples, see the Rules Engine Guide.

Core Domain Information

permutation · string
Domain permutation
Example: "shopfacebook.com", "facebook-login.com"

kind · string
Permutation kind
Example: "typosquatting", "combosquatting"

levenshtein_distance · number
Edit distance from original domain
Example: 4, 6, 8

tags · array<string>
Tags associated with the lookup result
Example: ["high-priority", "investigate"]

note · string
User-provided note
Example: "Investigated on 2026-01-06"

DNS Resolution Data

dns_a · array<inet>
DNS A records (IPv4)
Example: ["31.13.66.4"]

dns_aaaa · array<inet>
DNS AAAA records (IPv6)
Example: ["2a03:2880:f003:c07:face:b00c:0:2"]

dns_mx · array<string>
DNS MX records
Example: ["smtpin.vvv.facebook.com."]

dns_ns · array<string>
DNS NS records
Example: ["a.ns.facebook.com.", "b.ns.facebook.com."]

dns_cname · array<string>
DNS CNAME records
Example: ["target.domain.com."]

dns_txt · array<string>
DNS TXT records
Example: ["v=spf1 -all", "google-site-verification=..."]

Server and Infrastructure

smtp · string
SMTP banner
Example: "220 mx.example.com ESMTP ready"

http_banner · string
HTTP server banner
Example: "nginx/1.18.0", "cloudflare"

Geolocation and Network

geolocation.asn.number · number
ASN number
Example: 32934, 13335, 16509

geolocation.asn.name · string
ASN name
Example: "FACEBOOK", "CLOUDFLARENET"

geolocation.country · string
Country code
Example: "US", "CA", "GB"

geolocation.city · string
City name
Example: "Menlo Park", "Amsterdam"

Classification Scores

classification.phishing · number
Phishing classification score (0-1)
Example: 0.01, 0.85, 0.95

classification.malware · number
Malware classification score (0-1)
Example: 0.01, 0.85, 0.95

classification.impersonation · number
Impersonation classification score (0-1)
Example: 0.01, 0.85, 0.95

Domain Registration

whois · string
WHOIS lookup data
Example: Raw WHOIS response text

Registration Metadata Fields

registration_metadata.registrar · string
Domain registrar name
Example: "RegistrarSafe, LLC", "GoDaddy.com, LLC"

registration_metadata.registration_date · date
Domain registration date
Example: "1997-03-29T05:00:00Z" (RFC3339)

registration_metadata.expiration_date · date
Domain expiration date
Example: "2034-03-30T04:00:00Z" (RFC3339)

Technologies and Content

technologies · array<string>
Technologies detected on the domain
Example: ["HSTS", "HTTP/3"], ["Cloudflare", "HTTP/3"]

TLS Certificate Data

origin_x509.subject · string
Certificate subject
Example: "CN=*.example.com, O=Example Corp, C=US"

origin_x509.issuer · string
Certificate issuer
Example: "CN=Example Issuing CA, O=Example CA, C=US"

origin_x509.serial_number · string
Certificate serial number
Example: "04:3A:..."

origin_x509.not_before · date
Certificate valid from (RFC3339)
Example: "2025-01-01T00:00:00Z"

origin_x509.not_after · date
Certificate valid until (RFC3339)
Example: "2026-01-01T00:00:00Z"

Field Availability

Note

Not all fields are populated for every domain. Field availability depends on:

• DNS Resolution: Whether the domain resolves successfully
• Web Response: Whether HTTP/HTTPS services are available
• Registration Data: Whether WHOIS/registration metadata is accessible
• Analysis Depth: The level of analysis performed

Always Available

• permutation
• levenshtein_distance

Conditional Availability

• DNS fields (dns_*): Available when domain resolves

• Web fields (http_banner, technologies): Available when web services respond

• Certificate fields (origin_x509.*): Available when HTTPS is configured

• Registration fields (whois, registration_metadata.*): Available when registration data is accessible

• Geolocation fields (geolocation.*): Available when IP resolution succeeds