--- title: "Access Enrichment Queries" slug: "access-enrichment-queries" updated: 2025-12-31T16:56:28Z published: 2025-12-31T16:56:28Z canonical: "help.silentpush.com/access-enrichment-queries" --- > ## Documentation Index > Fetch the complete documentation index at: https://help.silentpush.com/llms.txt > Use this file to discover all available pages before exploring further. # Access Enrichment Queries Enrichment Queries provide a streamlined way to access and analyze enriched data for domains, IPv4 addresses, and IPv6 addresses. ## Access Queries 1. From the left navigation menu, select **Advanced Query Builder > Enrichment Queries**and select the appropriate option: 1. Domain for domain-specific data. 2. **IPv4** for IPv4 address data. 3. **IPv6** for IPv6 address data. ## Enrichment Data Types | Domain enrichment includes | IPv4 / IPv6 enrichment includes | | --- | --- | | - DGA Probability | - ASN data (number, name, allocation date, reputation, takedown reputation) | | - Tranca rank | - Subnet information & reputation | | - Dynamic domain indicator | - IP Density & PTR records | | - URL shortener indicator | - Listing history & scores (curated feeds) | | - Basic domain info (First Seen, Last Seen, Age, registrar, etc.) | - Nameserver reputation & historical changes | | - Warning flags (open directories, expired certificates, open S3 buckets, etc.) | - IP & ASN diversity scores | | - IP & ASN diversity scores | - Silent Push risk score | | - Listing scores (curated feed history) | - Known benign / sinkhole / Tor exit / dynamic IP flags | | - Nameserver reputation data | - Expired certificates, open directories | | - Nameserver Changes & entropy | - Geographic location | | - Silent Push risk score | - Scan Data (JARM, Favicon hashes, certificates, HTTP headers, HTML title/body hashes) | ## Instructions 1. Select **Domain**, **IPv4**, or **IPv6** 2. Enter the indicator 3. (Optional) Add any of these checkboxes: - `explain=1` shows the breakdown/explanation behind every score - `scan_data=1` includes live scan data (certificates, JARM, favicon, HTML, headers) - `with_metadata=1` adds extra metadata fields 4. Click **Search** ## Save Query 1. Specify query parameters. 2. Click **Save Query**. 3. Provide a **Name** and **Description** for context. 4. Click **Save** to store the query in the Private Queries menu. ## Sample Output (IPv4 example) ```plaintext {  "status_code": 200,  "error": null,  "response": {    "ip2asn": [      {        "asn": 13335,        "asname": "CLOUDFLARENET, US",        "ip": "104.26.10.149",        "ip_location": {          "country_name": "United States"        },        "sp_risk_score": 8,        "subnet": "104.26.0.0/20"      }    ]  } } ``` ## Sample Output (full detailed subfields) ```plaintext {  "status_code": 200,  "error": null,  "response": {    "ip2asn": [      {        "asn": 13335,        "asn_allocation_age": 4655,        "asn_allocation_date": 20100714,        "asn_rank": 0,        "asn_rank_score": 0,        "asn_reputation": 0,        "asn_reputation_explain": {},        "asn_reputation_score": 0,        "asn_takedown_reputation": 8,        "asn_takedown_reputation_explain": {          "ips_active": 302751,          "ips_in_asn": 2464000,          "ips_num_listed": 3,          "items_num_listed": 3,          "lifetime_avg": 4,          "lifetime_max": 4,          "lifetime_total": 12        },        "asn_takedown_reputation_score": 8,        "asname": "CLOUDFLARENET, US",        "benign_info": {          "actor": "",          "known_benign": false,          "tags": []        },        "date": 20230412,        "density": 529,        "ip": "104.26.10.149",        "ip_has_expired_certificate": false,        "ip_has_open_directory": false,        "ip_is_dsl_dynamic": false,        "ip_is_dsl_dynamic_score": 0,        "ip_is_ipfs_node": false,        "ip_is_tor_exit_node": false,        "ip_location": {          "continent_code": "NA",          "continent_name": "North America",          "country_code": "US",          "country_is_in_european_union": false,          "country_name": "United States"        },        "ip_ptr": "",        "ip_reputation": 0,        "ip_reputation_explain": {},        "ip_reputation_score": 0,        "listing_score": 0,        "listing_score_explain": {},        "listing_score_feeds_explain": [],        "malscore": 8,        "sinkhole_info": {          "known_sinkhole_ip": false,          "tags": []        },        "sp_risk_score": 8,        "sp_risk_score_explain": {          "sp_risk_score_decider": "asn_takedown_reputation"        },        "subnet": "104.26.0.0/20",        "subnet_allocation_age": "UNKNOWN",        "subnet_allocation_date": "UNKNOWN",        "subnet_reputation": 0,        "subnet_reputation_explain": {},        "subnet_reputation_score": 0      }    ]  } } ``` The human-readable name (e.g., example.com) associated with an indicator of compromise (IoC) or network resource, used to identify and access websites or services in threat intelligence analysis. A metric indicating the likelihood that a domain is generated by a Domain Generation Algorithm (DGA), used to identify potential malware-related domains in enrichment queries. Autonomous System Number, a unique numeric identifier assigned to an Autonomous System (AS) for managing IP address routing within and between networks on the internet The network segment associated with an IP address, used to contextualize and analyze related infrastructure. The number of unique IP addresses a domain has resolved to over the past 30 days, used to detect dynamic or suspicious domain behavior. The date when a domain was first observed in DNS zone files, providing insight into its age and potential trustworthiness in threat intelligence analysis. The most recent date a domain appeared in zone files, indicating its ongoing presence or activity in DNS records. A query type that tracks modifications to a domain’s nameservers, detecting potential malicious domain hopping or infrastructure shifts through historical and live data analysis. Host scanning data retrieved through enrichment queries, including details like certificates, open directories, or favicons, used to validate and analyze potential threats. A small icon or image associated with a website, typically displayed in browser tabs or bookmarks, used in threat intelligence to identify potential spoofing or phishing by analyzing its unique characteristics or hash. A collection of user-saved DNS queries, stored for repeated use or personalized threat intelligence analysis.