Fields
LeakIX syntax is called YQL and is based on the opensource YQL-Elastic library.
Types
| type | description |
|---|---|
| text | Text is fuzzy and case insensitive |
| keyword | Keyword is precise and case sensitive |
| ip | IP is precise and can be a CIDR range |
| dns | DNS will be matched from top domain (eg, leakix.net includes *.leakix.net) |
| integer | Numbers can be used in range queries |
| date | Date can be used in range queries |
Global fields
Global fields are available in both the service and leak scope
| Field | Type | Description | Example |
|---|---|---|---|
| plugin | keyword | Plugin name | GitConfigPlugin |
| event_pipeline | keyword | Steps used for indexing the result | CertStream |
| l9fp | keyword | LeakIX's fingerprint | |
| time | date | Indexing date | 2023-01-01 |
| ip | ip | IP | 8.8.0.0/16 |
| host | dns | Domain/vhost if applicable | leakix.net |
| port | keyword | Port | 8000 |
| transport | keyword | Transports used | tls, http, smb |
| http.url | keyword | URL path | /.git/config |
| http.status | integer | HTTP status code | 401 |
| http.length | integer | HTTP content length | |
| http.header | map | HTTP headers | http.header.server:Apache |
| http.title | text | HTML title | |
| summary | text | Banner or summary | |
| ssl.detected | bool | SSL detected | |
| ssl.jarm | keyword | JARM fingerprint | |
| ssl.cypher_suite | keyword | SSL cypher suite | TLS_AES_128_GCM_SHA256 |
| ssl.version | keyword | SSL version | TLSv1.3 |
| ssl.certificate.cn | dns | SSL Common Name | |
| ssl.certificate.domain | dns | SSL domain list | |
| ssl.certificate.fingerprint | keyword | SSL certificate fingerprint | |
| ssl.certificate.key_algo | keyword | SSL algorithm | RSA |
| ssl.certificate.key_size | integer | SSL key size | 2048 |
| ssl.certificate.issuer_name | text | SSL certificate issuer name | |
| ssl.certificate.not_before | date | SSL certificate start date | 2023-01-01 |
| ssl.certiticate.not_after | date | SSL certificate end date | |
| ssl.certificate.valid | bool | SSL certificate validity | |
| ssh.fingerprint | keyword | SSH fingerprint | |
| ssh.version | int | SSH protocol version | |
| ssh.banner | text | SSH banner | |
| ssh.motd | text | SSH message of the day | |
| service.software.name | keyword | Service software name | Apache |
| service.software.version | keyword | Service software version | |
| service.software.os | keyword | Service software OS | Ubuntu |
| service.software.modules.name | keyword | Service's module name | PHP, OpenSSL |
| service.software.modules.version | keyword | Service's module version | |
| tags | keyword | Tag | ntlm |
| geoip.continent_name | keyword | Continent name | Europe |
| geoip.region_iso_code | keyword | Region ISO code | |
| geoip.city_name | keyword | City name | |
| geoip.country_iso_code | keyword | Country ISO code | FR |
| geoip.country_name | keyword | Country name | France |
| geoip.region_name | keyword | Region name | |
| geoip.location.lat | float | Location latitude | |
| geoip.location.lon | float | Location longitude | |
| network.organization_name | keyword | Network operator name | Hetzner Online GmbH |
| network.asn | int | Network operator AS number | 16276 |
| network.network | keyword | Network range |
Leak specific fields
Leak fields are only available in the leak scope.
| Field | Type | Description | Example |
|---|---|---|---|
| creation_date | date | Leak first detection date | 2023-01-01 |
| update_date | date | Leak last detection date | 2023-01-01 |
| age | integer | Number of days the leak has been open | |
| leak.severity | keyword | Leak severity | critical, high |
| leak.dataset.rows | int | Leak number of rows | |
| leak.dataset.files | int | Leak number of files | |
| leak.dataset.size | int | Leak size in bytes | |
| leak.dataset.collections | int | Leak number of databases | |
| leak.dataset.infected | bool | Service is infected/ransomed | |
| leak.dataset.ransom_notes | text | Ransom notes left public | btc |
| service.credentials.noauth | bool | Service credentials not present | |
| service.credentials.username | keyword | Service username used | |
| service.credentials.password | keyword | Service password used | |
| service.credentials.key | keyword | Service key used | |
| service.credentials.raw | keyword | Service other credential used |