Table: urlscan_ip - Query Urlscan IP Addresses using SQL
Urlscan is a free and open API and web interface for scanning and analyzing web sites. It checks for issues with security, privacy, and compliance, and provides detailed information about the website's connections and the resources loaded. An IP Address in Urlscan represents a unique numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication.
Table Usage Guide
The urlscan_ip table provides insights into IP addresses associated with a scan in Urlscan. As a security analyst, explore details about these IP addresses through this table, including their geographical location, associated domain, and ASN details. Utilize it to uncover information about the IP addresses a website connects to, helping to identify potential security risks or malicious activity.
Important Notes
- You must specify the
scanin thewhereclause to query this table.
Examples
List IP addresses
Explore the IP addresses associated with a particular scan to understand its reach and impact. This can be used to determine potential security threats or anomalies in the network traffic.
select *from urlscan_ipwhere scan = '54c78f69-5294-4a17-8ae0-a71943954e09'order by count desc;select *from urlscan_ipwhere scan = '54c78f69-5294-4a17-8ae0-a71943954e09'order by count desc;IPs by country
Explore which IP addresses are associated with specific countries to enhance your understanding of your network's geographical distribution. This could be crucial for detecting unusual activity or potential security threats.
select countries ->> 0 as country, ipfrom urlscan_ipwhere scan = '54c78f69-5294-4a17-8ae0-a71943954e09'order by country, ip;select json_extract(countries, '$[0]') as country, ipfrom urlscan_ipwhere scan = '54c78f69-5294-4a17-8ae0-a71943954e09'order by country, ip;IPs with Geolocation
Explore the geographical locations associated with specific IP addresses. This is useful for identifying patterns or anomalies in network traffic, potentially highlighting security threats or operational issues.
select geolocation ->> 'country_name' as country, geolocation ->> 'region' as region, geolocation ->> 'city' as city, ipfrom urlscan_ipwhere scan = '54c78f69-5294-4a17-8ae0-a71943954e09'order by country, region, city, ip;select json_extract(geolocation, '$.country_name') as country, json_extract(geolocation, '$.region') as region, json_extract(geolocation, '$.city') as city, ipfrom urlscan_ipwhere scan = '54c78f69-5294-4a17-8ae0-a71943954e09'order by country, region, city, ip;Schema for urlscan_ip
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
| asn | jsonb | ASN data for this IP. | |
| count | bigint | Number of requests to the IP. | |
| countries | jsonb | Countries where the IP resides. | |
| dns | jsonb | DNS data for this IP. | |
| domains | jsonb | List of domains used with this IP. | |
| encoded_size | bigint | Total encoded size of all requests sent to this IP. | |
| geolocation | jsonb | Geolocation data for this IP. | |
| ip | inet | The IP address. | |
| ipv6 | boolean | True if this is an IPv6 address. | |
| redirects | bigint | Number of redirect responses received from this IP. | |
| reverse_dns | text | Reverse DNS lookup for the IP. | |
| scan | text | = | ID of the scan result. |
| size | bigint | Total size of all requests sent to this IP. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- urlscanYou can pass the configuration to the command with the --config argument:
steampipe_export_urlscan --config '<your_config>' urlscan_ip