Return individual raw honeypot events with all fields. Use when the user wants to see actual records: 'show me events from this IP', 'what hit port 443 last week', 'events from Russia yesterday'. Filters: source_ip, country (2-letter code), asn (e.g. 'AS12345'), dest_port, protocol ('tls' or ''), http_method. since/until are ISO-8601 UTC strings. Each record includes: source_ip, country, asn, dest_port, user_agent, url_path, tls_client_ja4, http_request_ja4h, ssh_client_hassh, network_protocol, timestamp.

Ranked leaderboard of attack sources. Use for: 'who is attacking the most?', 'top attacking countries', 'most targeted ports', 'most common user agents', 'top ASNs by attack volume', 'top IPs from China', 'top attackers hitting port 22'. 'by' controls grouping: ip, asn, country, port, user_agent, ja4, url_path. Optional filters: country (2-letter ISO, e.g. 'CN'), dest_port, asn (e.g. 'AS12345'). Adding a filter is required for large time ranges to stay within memory limits. since/until are ISO-8601 UTC strings.

Look up any IP address or domain in the honeypot dataset. Use this FIRST whenever the user asks: 'is this IP malicious?', 'is this a known scanner?', 'have you seen this IP?', 'what does this IP do?', 'when was it last seen?', 'is this IP in your data?'. Returns: total_events (0 = never observed), first_seen, last_seen, country, ASN, all ports targeted, top user agents, top URL paths, TLS/HTTP/SSH fingerprints. Covers both IPv4 and domains.

Full-text search across HTTP URL paths and user agents in attack traffic. Use for: 'find attacks targeting /wp-admin', 'show exploit attempts for CVE-2024-XXXX', 'find requests with this user agent string', 'what payloads hit port 80 last week'. Pro/Team plan only. since/until are ISO-8601 UTC strings.

Attack volume over time, bucketed by hour or day. Use for: 'show attack trends this week', 'was there a spike on port 22?', 'how has SSH scanning changed?', 'attack volume from China over 30 days'. bucket: 'hour' or 'day'. Optional filters: filter_protocol ('tls'/'''), filter_country (2-letter code), filter_dest_port. since/until ISO-8601 UTC.

Full honeypot profile for an ASN (autonomous system / hosting provider). Use for: 'tell me about AS202425', 'what is Vultr doing in my honeypots?', 'attacks from this hosting provider', 'attribute this IP to its network'. asn format: 'AS12345'. Returns: total events, unique IPs, top targeted ports, top source countries, top user agents, org name. since/until are ISO-8601 UTC strings.

Search honeypot activity by TLS, HTTP, or SSH fingerprint. Use when a user asks: 'have you seen this JA4 fingerprint?', 'which IPs share this TLS fingerprint?', 'how common is this HASSH?', 'find all scanners with this SSH client fingerprint'. fp_type: 'ja4' (TLS client, 3.7M events), 'ja4h' (HTTP client, 3.2M events), 'hassh' (SSH client, 26K events). since/until are ISO-8601 UTC strings.