Table: urlscan_ip - Query Urlscan IP Addresses using SQL

Urlscan is a free and open API and web interface for scanning and analyzing web sites. It checks for issues with security, privacy, and compliance, and provides detailed information about the website's connections and the resources loaded. An IP Address in Urlscan represents a unique numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication.

Table Usage Guide

The urlscan_ip table provides insights into IP addresses associated with a scan in Urlscan. As a security analyst, explore details about these IP addresses through this table, including their geographical location, associated domain, and ASN details. Utilize it to uncover information about the IP addresses a website connects to, helping to identify potential security risks or malicious activity.

Important Notes

You must specify the scan in the where clause to query this table.

Examples

List IP addresses

Explore the IP addresses associated with a particular scan to understand its reach and impact. This can be used to determine potential security threats or anomalies in the network traffic.

select
  *
from
  urlscan_ip
where
  scan = '54c78f69-5294-4a17-8ae0-a71943954e09'
order by
  count desc;

select
  *
from
  urlscan_ip
where
  scan = '54c78f69-5294-4a17-8ae0-a71943954e09'
order by
  count desc;

IPs by country

Explore which IP addresses are associated with specific countries to enhance your understanding of your network's geographical distribution. This could be crucial for detecting unusual activity or potential security threats.

select
  countries ->> 0 as country,
  ip
from
  urlscan_ip
where
  scan = '54c78f69-5294-4a17-8ae0-a71943954e09'
order by
  country,
  ip;

select
  json_extract(countries, '$[0]') as country,
  ip
from
  urlscan_ip
where
  scan = '54c78f69-5294-4a17-8ae0-a71943954e09'
order by
  country,
  ip;

IPs with Geolocation

Explore the geographical locations associated with specific IP addresses. This is useful for identifying patterns or anomalies in network traffic, potentially highlighting security threats or operational issues.

select
  geolocation ->> 'country_name' as country,
  geolocation ->> 'region' as region,
  geolocation ->> 'city' as city,
  ip
from
  urlscan_ip
where
  scan = '54c78f69-5294-4a17-8ae0-a71943954e09'
order by
  country,
  region,
  city,
  ip;

select
  json_extract(geolocation, '$.country_name') as country,
  json_extract(geolocation, '$.region') as region,
  json_extract(geolocation, '$.city') as city,
  ip
from
  urlscan_ip
where
  scan = '54c78f69-5294-4a17-8ae0-a71943954e09'
order by
  country,
  region,
  city,
  ip;

Schema for urlscan_ip

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form.
asn	jsonb		ASN data for this IP.
count	bigint		Number of requests to the IP.
countries	jsonb		Countries where the IP resides.
dns	jsonb		DNS data for this IP.
domains	jsonb		List of domains used with this IP.
encoded_size	bigint		Total encoded size of all requests sent to this IP.
geolocation	jsonb		Geolocation data for this IP.
ip	inet		The IP address.
ipv6	boolean		True if this is an IPv6 address.
redirects	bigint		Number of redirect responses received from this IP.
reverse_dns	text		Reverse DNS lookup for the IP.
scan	text	=	ID of the scan result.
size	bigint		Total size of all requests sent to this IP.
sp_connection_name	text	=, !=, ~~, ~~, !~~, !~~	Steampipe connection name.
sp_ctx	jsonb		Steampipe context in JSON form.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- urlscan

You can pass the configuration to the command with the --config argument:

steampipe_export_urlscan --config '<your_config>' urlscan_ip