One row = one identification call (one
RequestID). A person who triggers ten identify calls is ten rows here. The Data tab counts requests, not unique visitors. For unique-visitor counts, see Visitor Insights.Toolbar
The toolbar above the table holds the controls that shape it.| Control | What it does |
|---|---|
| Filters | Opens the filter popover: project, pattern, score range, and date range (see Filters). |
| Pattern IDs | Toggles pattern-ID highlighting. When on, identifier cells that match an abuse pattern are highlighted (see Pattern-ID highlighting). |
| Patterns Count | Toggles a per-row count of how many abuse patterns that record matched. |
| Export | Exports the current result set as JSON or CSV (see Export). |
| Columns | Opens the column toggle to show or hide columns by group. |
Filters
The Filters popover scopes the table. Apply one or several together, then clear them all with Reset filters.| Filter | Behavior |
|---|---|
| Project | A domain select. Default is All Projects (every domain you own). Pick one domain to scope the table to it. |
| Pattern | Default is All patterns. Pick one of the eight abuse patterns to show only records whose identifiers match that pattern. The list is sourced from your live patterns. |
| Score | A From / To range over the Risk Score, 0 to 100, validated. Use it to isolate a band, for example 60 to 100 for the High band. |
| Date range | A calendar range. The table shows records inside this window. |
| Reset filters | Clears project, pattern, score, and date back to defaults. |
Search
Records are searchable by identifier or field. Search is parameterized server-side as asearch_type plus a search_value, so you look up records by a specific identifier rather than full-text scanning the table.
The identifier types you can search by line up with the History API:
| Search type | Looks up records by |
|---|---|
request_id | A single identification call. |
visitor_id | A VisitorID (breaks on cookie clear). |
device_id | A DeviceID (durable across cookie clear and incognito in the same browser). |
user_hid | The customer’s own hashed account id passed in through the snippet. |
ip | A public IP address. |
Columns
Columns are grouped into five categories in the Columns toggle. The default visible set isRequest ID, UserHID, Visitor ID, Device ID, Score, Date, IP Address, Country, VPN, Proxy, and Tor. Turn the rest on as you need them.
Request Data
The identity, timing, score, and environment of the request.| Column | Meaning |
|---|---|
| Request ID | The RequestID for this call. The join key across the snippet response, the webhook, and the History API. |
| Session ID | The SessionID for the visit (a 10-minute window). |
| UserHID | The customer’s own account id, passed in through the snippet (hashed / pseudonymous). |
| Cookie ID | The first-party CookieID. Regenerates if the visitor clears cookies or storage. |
| Visitor ID | The VisitorID. Derived from DeviceID plus CookieID, so it breaks on cookie clear. |
| Device ID | The DeviceID. Derived from dozens of stable browser components, so it survives cookie clear and incognito within the same browser. Browser-bound. |
| Date | The request timestamp, rendered MMM D, YYYY HH:mm in your local time. |
| Score | The Risk Score, 0–100, shown as a band-colored badge (see Score column). |
| IP Address | The public IP the request came from. |
| Country | The country derived from the IP. |
| Browser | The browser. |
| OS | The operating system. |
| Device Type | Desktop, Mobile, Tablet, or Other. |
Request Signals
Each scoring signal as a boolean column. A red Yes badge means the signal fired on that request; a muted No means it did not. These are the same per-request signals that build the Risk Score and ship in the explainableDetails array.
| Column | Fires when |
|---|---|
| Proxy | The IP is flagged as a proxy. |
| Timezone Mismatch | The browser timezone does not match the IP timezone. |
| Datacenter IP | The IP belongs to a datacenter or hosting range. |
| VPN | The connection runs through a VPN (corroborated by the 2-of-3 rule). |
| Privacy Relay | iCloud Private Relay or a similar relay service. |
| Abuser Flag | The IP or device is on an abuse reputation list. |
| Browser VPN/Proxy | An in-browser VPN or proxy extension is detected. |
| STUN not Checked | The real-IP (STUN) check did not complete. |
| OS not Detected | The OS could not be derived from the user agent or network. |
| OS Mismatch | The OS the browser claims does not match the OS the network fingerprint shows. |
| Anti-detect Browser | Anti-detect or fingerprint-spoofing indicators are present. |
| JavaScript Disabled | The WebRTC API is absent (noscript beacon or headless without WebRTC). |
| Tor | The connection exits through the Tor network. |
Connection Type
| Column | Meaning |
|---|---|
| Connection type | The connection class for the request, for example Direct, Mobile, VPN, Proxy, Tor, Privacy Relay, or Unknown. |
Traffic Source
| Column | Meaning |
|---|---|
| Channel | The acquisition channel, one of Google Ads, Meta, TikTok, LinkedIn, X, Organic Search, Referral, Direct, or Other. |
| Referrer Domain | The referring host for the request. |
UTM
The campaign tags captured on the request.| Column | Field |
|---|---|
| UTM Source | utm_source |
| UTM Medium | utm_medium |
| UTM Campaign | utm_campaign |
| UTM Content | utm_content |
| UTM Term | utm_term |
Score column
The Score cell is a colored badge, banded the same way as everywhere else in ShieldLabs:| Band | Range | Badge color |
|---|---|---|
| Clean | 0–9 | green |
| Low | 10–29 | yellow |
| Medium | 30–59 | orange |
| High | 60–100 | red |
Sorting
The table is sortable by Date, Score, and every boolean signal column. Sorting by a signal groups the rows where that signal fired, which is a fast way to pull, say, every request that tripped Anti-detect Browser in the period.Pattern-ID highlighting
Turning on Pattern IDs in the toolbar highlights identifier cells that belong to a flagged entity, so you can spot at a glance which records are part of an abuse pattern. Only the UserHID, Visitor ID, and Device ID cells highlight:- a Dangerous match shows a red background
- a Suspicious match shows an orange background
Abuse patterns are a dashboard feature, computed server-side from historical data. They are not part of the webhook or Management API payload, and they are distinct from the per-request scoring signals in the boolean columns above. Signals score one request right now; patterns link many requests over a time window.
Export
The Export button exports the current result set in either format:| Format | Use it for |
|---|---|
| JSON | Piping records into your own pipeline or warehouse. |
| CSV | Spreadsheets and quick ad-hoc analysis. |
How the Data tab fits the flow
The Data tab is the readable mirror of the data your own backend already receives:The snippet runs
The snippet collects signals and posts them, returning a
RequestID.The server scores asynchronously
ShieldLabs scores the request and delivers a webhook with the Risk Score and signals. You can also read the same record through the History API.
Where to go next
Abuse Patterns
The eight server-side patterns, their grading, and per-identifier breakdowns.
Traffic Sources
Channels, referrers, and UTM parameters ranked by request volume and risk.
Management API
Read the same records programmatically through the History API.
Identifiers
How RequestID, SessionID, CookieID, VisitorID, DeviceID, and UserHID are derived.