User Guide

Validin Query Language

Use the Validin Query Language (VQL) in Advanced Search to discover infrastructure using complex queries

Query Structure

All queries use a group prefix to specify the data source, followed by one or more criteria enclosed in parentheses:

services: (key="value")

Multiple criteria within a group can be combined with AND:

services: (http.title="Validin" AND ip="1.1.1.1")

Queries can also join multiple data sources, each with their own group:

services: (http.title="Login") AND registration: (registrar="NameCheap, Inc.") AND dns: (a="1.2.3.4")

Rules

  • Group prefix required. All queries must begin with a group prefix (services:, registration:, or dns:) followed by parentheses containing your criteria.
  • One group per source. You may include at most one group per data source — at most one services: group, one registration: group, and one dns: group per query.
  • All criteria must be inside a group. Bare predicates outside of a group are not supported. For example, services.http.title="Validin" AND services.ip="1.1.1.1" is not valid — you must write services: (http.title="Validin" AND ip="1.1.1.1").
  • At least one primary key required per group. Every group must include at least one criterion using a primary key. Secondary keys can only be used to further narrow results alongside a primary key.
  • Only AND is supported. Criteria within a group, and groups with one another, are combined conjunctively.
  • Exact match (=) is supported for all fields. Integer fields (port, length) additionally support !=, >, >=, <, and <=. Date fields additionally support relative modifiers — see Date Modifiers below.

Operators

OperatorDescriptionApplies to
=Exact matchAll field types
!=Does not equalInteger fields only
>Strictly greater thanInteger fields only
>=Greater than or equalInteger fields only
<Strictly less thanInteger fields only
<=Less than or equalInteger fields only

Date Modifiers

Date fields support relative modifiers that express a range around a given date value:

ModifierDescription
~Within N units of the date
+N units after the date
-N units before the date
UnitMeaning
sSeconds
mMinutes
hHours
dDays

Examples:

Find certificates expiring within 30 days of a specific date:

services: (cert.not_after="2025-05-01T17:30:25Z~30d" AND cert.issuer="/C=US/O=Let's Encrypt/CN=R3")

Find domains registered up to one day after a known date:

registration: (registered="2026-01-01T13:02:13Z+1d" AND registrar="GoDaddy, Inc.")

Find services whose certificate became valid within the last hour of a given time:

services: (cert.not_before="2025-05-01T17:30:25Z-1h" AND cert.domain="example.com")

Global Filters

Global filters are appended to the end of a query using WITH and apply across all groups:

services: (http.title="Example") WITH lookback=30 AND tld="com"
FilterDescriptionType
lookbackOnly search the past N daysInteger
tldLimit results to domains with the given TLDString
afterStart of observation window (ISO-8601)Date
beforeEnd of observation window (ISO-8601)Date

🚧

Warning

lookback and after/before are mutually exclusive: use one or the other to filter by time.


Examples

Search for hosts serving a specific page title:

services: (http.title="Example Domain")

Search for a specific IP hosting a specific title on port 8080:

services: (ip="203.0.113.50" AND http.title="Admin Panel" AND port=8080)

Search for hosts with a specific certificate issuer and JARM fingerprint:

services: (cert.issuer="/C=US/O=Let's Encrypt/CN=R3" AND jarm="29d29d15d29d29d00042d43d00041d598ac0c1012db967bb1ad0ff2491b3ae")

Search for services running on high ports:

services: (http.title="Admin Panel" AND port>8000)

Search for certificates expiring within 30 days of a given date:

services: (cert.not_after~30d AND cert.issuer="/C=US/O=Let's Encrypt/CN=R3")

Find domains registered with a specific registrar and confirm they are actively resolving:

registration: (registrar="NameCheap, Inc.") AND dns: (a="203.0.113.50")

Find domains using a specific nameserver that are also serving a known page title, registered in the past 30 days:

services: (http.title="Login Portal") AND registration: (ns="ns1.example.com") WITH lookback=30

Cross-source investigation — services, registration, and DNS together:

services: (http.title="Phishing Page") AND registration: (registrar="GoDaddy") AND dns: (ns="ns1.example.com") WITH lookback=14

Supported Keys

services: Keys

KeyDescriptionValue TypePrimary
services.ipIP addressIPv4 addressYes
services.hostDomain or virtual host in the requestDomainYes
services.jarmJARM fingerprintHashYes
services.portThe port on which the response was observedIntegerNo
HTTP Features
services.http.titleValue of the <title> tagStringYes
services.http.body_hashHTTP response body hash (SHA-1)HashYes
services.http.favicon_hashMD5 hash of the faviconHashYes
services.http.gtagGoogle Tag Manager ID found on the pageStringYes
services.http.metaCanonicalized <meta> tagStringYes
services.http.pathThe HTTP path that was requested from the serverStringYes
services.http.class_0_hashCSS class hash (v0)HashYes
services.http.class_1_hashCSS class hash (v1)HashYes
services.http.lengthHTTP response length in bytesIntegerNo
services.http.ext_links.metaDomain found in HTML <meta> tagDomainYes
services.http.ext_links.linksDomain found in HTML <link> tagDomainYes
services.http.ext_links.jsDomain found in HTML <script> tagDomainYes
services.http.ext_links.anchorDomain found in HTML <a> tagDomainYes
services.http.ext_links.iframeDomain found in HTML <iframe> tagDomainYes
Banner
services.banner.start_lineFirst line of the HTTP banner (e.g. "HTTP/1.1 200 OK")StringYes
services.banner.serverThe "Server" header valueStringYes
services.banner.etagValue of the "ETag" headerStringYes
services.banner.last_modifiedValue of the "Last-Modified" header, when significantly different than request timeStringYes
services.banner.http_dateValue of the "Date" header, when significantly different than request timeStringYes
services.banner.location.rawThe verbatim "Location" header valueStringYes
services.banner.location.domainThe domain in the "Location" header value, if presentDomainYes
services.banner.location.ipIP address in the "Location" header value, if presentIPv4 addressYes
services.banner.header_hashHTTP header key hashHashYes
services.banner.banner_0_hashBanner hash (v0)HashYes
Certificate
services.cert.domainDomain name found anywhere in the certificate, including the common name and extensionsDomainYes
services.cert.issuerCertificate issuer distinguished name stringStringYes
services.cert.common_nameCertificate Common NameStringYes
services.cert.countryCertificate CountryStringYes
services.cert.stateCertificate Region (State)StringYes
services.cert.localeCertificate Locale (City)StringYes
services.cert.organization_nameCertificate Organization NameStringYes
services.cert.organization_unit_nameCertificate Organization Unit NameStringYes
services.cert.not_beforeISO-8601 timestamp of the certificate "Not Before" valueDateYes
services.cert.not_afterISO-8601 timestamp of the certificate "Not After" valueDateYes
services.cert.fingerprint.sha1Certificate fingerprint (SHA-1)HashYes
services.cert.fingerprint.sha256Certificate fingerprint (SHA-256)HashYes
services.cert.fingerprint.ja4xCertificate fingerprint (JA4X)StringYes

registration: Keys

KeyDescriptionValue TypePrimary
registration.registrarThe registrar responsible for the domain registrationStringYes
registration.registeredThe date the domain was first registered (ISO-8601)DateYes
registration.nsA nameserver delegated to the domain at registration timeDomainYes

dns: Keys

KeyDescriptionValue TypePrimary
dns.aIP address observed as an A record for this domainIPv4 addressYes
dns.aaaaIP address observed as an AAAA record for this domainIPv6 addressYes
dns.nsDomain Name observed as an NS records for this domainDomainYes

Updated about 15 hours ago