This article provides a comprehensive reference for field names and data sources used in Web Search queries. Field names are searchable data categories in Silent Push Query Language (SPQL), enabling precise searches across Web Search’s data repositories. Understanding these fields and their associated data sources is essential for constructing effective queries and interpreting scan results.
Key data types, represented by these field names, also support advanced analysis for similarity detection, malicious activity identification (e.g., phishing sites, malware), dark web tracking, and URL navigation paths. For example, hash-based fields like SHA-256 or SSDeep allow matching identical or similar content, while SSL and JARM fields fingerprint certificates and TLS configurations.
Overview of data sources
Web Search organizes scanned data into six data sources, each representing a specific type of web data. The table below summarizes each data source and its primary use case:
Data source | Description |
|---|---|
Web Scan | Web data from public IPv4 and IPv6 ranges, including HTML, favicons, and SSL data. |
Dark Web Scan | Data from .onion sites on the Tor network, similar to Web Scan but Tor-specific. |
Web Resource Scan | Resources from web searches, including logs of successful and failed attempts, tracking domains, and IPs. |
Open Directory Scan | Data from open directories, including file and directory metadata. |
Banner Scan | Non-HTTP services (e.g., SSH, DNS), including TLS/SSL certificate data and service banners. |
WHOIS Scan | WHOIS data for domain registration details and ownership information. |
Important: The Datestring data type is formatted as YYYY-MM-DD.
Use field names in queries
Field names are used in SPQL queries to target specific data within a data source. For example:
Query:
domain = crypto* AND datasource = torscanSearches the
torscandata source for .onion domains starting with “crypto”.
Query:
ssl.expired = true AND datasource = servicesReturns all expired SSL certificates in the
servicesdata source.
To search across multiple data sources, use square brackets with a comma-separated list:
Query:
domain = payments* AND datasource = [webscan, torscan]Searches for domains starting with “payments” in both
webscanandtorscan.
Web Scan
Field Name | Description | Type | Primary Source | Supported Operators | Wildcard? | Regex? |
|---|---|---|---|---|---|---|
adtech.ads_txt | Indicates if an | Boolean | web_scan | =, != | FALSE | FALSE |
adtech.ads_txt_sha256 | SHA256 hash of | String | web_scan | =, != | FALSE | FALSE |
adtech.app_ads_txt | True if an | Boolean | web_scan | =, != | FALSE | FALSE |
adtech.app-ads_txt_sha256 | SHA256 hash of the | String | web_scan | =, != | FALSE | FALSE |
adtech.sellers_json | Boolean flag showing if a | Boolean | web_scan | =, != | FALSE | FALSE |
adtech.sellers_json_sha256 | SHA256 hash of the | String | web_scan | =, != | FALSE | FALSE |
body_analysis.adsense | Google AdSense publisher ID detected in page content. | String | web_scan | =, != | FALSE | FALSE |
body_analysis.adserver | Ad server reference (e.g., DoubleClick, AdTech, OpenX) detected in HTML. | String | web_scan | =, != | FALSE | FALSE |
body_analysis.analytics | Analytics tracking code found in page (e.g., Google Analytics, Mixpanel). | String | web_scan | =, != | FALSE | FALSE |
body_analysis.body_sha256 | SHA256 hash of the full HTML body. | String | web_scan | =, != | FALSE | FALSE |
body_analysis.footer_sha256 | SHA256 hash of the full HTML footer. | String | web_scan | =, != | FALSE | FALSE |
body_analysis.google-adstag | Presence of Google Ads tag detected in HTML. Google Analytics 4 tracking ID found. | String | web_scan | =, != | FALSE | FALSE |
body_analysis.google-GA4 | Google Analytics 4 tracking ID found. | String | web_scan | =, != | FALSE | FALSE |
body_analysis.google-UA | Legacy Google Analytics Universal Analytics ID found. | String | web_scan | =, != | FALSE | FALSE |
body_analysis.header_sha256 | SHA256 hash of the page header. | String | web_scan | =, != | FALSE | FALSE |
body_analysis.ICP_license | Detected Chinese ICP license registration code within body content. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
body_analysis.js_sha256 | SHA256 hash of embedded or linked JavaScript. | String | web_scan | =, != | TRUE | FALSE |
body_analysis.js_ssdeep | Fuzzy hash (ssdeep) of JavaScript for similarity analysis. | String | web_scan | =, != | TRUE | FALSE |
body_analysis.language | Language detected from HTML tags or meta attributes. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
body_analysis.onion | Presence of | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
body_analysis.SHV | Site hash value derived from visible HTML elements. | String | web_scan | =, != | FALSE | FALSE |
body_analysis.telegram | Presence of Telegram contact or group links. | String | web_scan | =, != | FALSE | FALSE |
datahash | Unique SHA256 hash representing the scan data for deduplication. | String | web_scan | =, != | FALSE | FALSE |
domain | Fully qualified domain name of the scanned host. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
favicon_avg | Average hash value for favicon image similarity. | String | web_scan | =, != | FALSE | FALSE |
favicon_murmur3 | Murmur3 hash of favicon content. | String | web_scan | =, != | FALSE | FALSE |
favicon_md5 | MD5 hash of favicon binary. | String | web_scan | =, != | FALSE | FALSE |
favicon_path | Path or URL location of the primary favicon. | String | web_scan | =, != | FALSE | FALSE |
favicon2_avg | Average hash for secondary favicon. | String | web_scan | =, != | FALSE | FALSE |
favicon2_murmur3 | Murmur3 hash for secondary favicon. | String | web_scan | =, != | FALSE | FALSE |
favicon2_md5 | MD5 hash for secondary favicon. | String | web_scan | =, != | FALSE | FALSE |
favicon2_path | URL path to the secondary favicon. | String | web_scan | =, != | FALSE | FALSE |
favicon_urls | List of favicon URLs found on the site. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
file | Boolean flag indicating whether the response corresponds to a downloadable file. | Boolean | web_scan | =, != | FALSE | FALSE |
file_sha256 | SHA256 hash of the downloaded file content. | String | web_scan | =, != | FALSE | FALSE |
geoip.as_org | ASN organization name associated with the IP address. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
geoip.asn | Autonomous System Number for the IP. | Number | web_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
geoip.city_name | City name derived from IP geolocation. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
geoip.continent_code | Continent code for the IP. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
geoip.country_code2 | Two-letter ISO country code. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
geoip.country_code3 | Three-letter ISO country code. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
geoip.country_name | Country name from geolocation. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
geoip.dma_code | Designated Market Area code for the IP region. | Number | web_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
geoip.latitude | Latitude coordinate for IP. | Number | web_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
geoip.location.lat | Latitude from nested location object. | Number | web_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
geoip.location.lon | Longitude from nested location object. | Number | web_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
geoip.longitude | Longitude coordinate for IP. | Number | web_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
geoip.postal_code | Postal or ZIP code. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
geoip.region_code | Region or state code. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
geoip.region_name | Human-readable region or state name. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
geoip.timezone | Timezone associated with the IP’s location. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
header.cache-control | Value of the Cache-Control HTTP header. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
header.connection | Value of the Connection header. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
header.content-length | Numeric value of the Content-Length header. | Number | web_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
header.content-type | MIME type from the Content-Type header. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
header.etag | Entity tag used for cache validation. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
header.onion-location | Onion service address indicated in header. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
header.proxy-authenticate | Authentication challenge returned by a proxy. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
header.refresh | Value of Refresh header, often indicating redirects. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
header.server | Server identifier string from Server header. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
header.x-havoc | Custom header used internally or by specific web apps. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
header.x-powered-by | Header indicating framework or platform used by server. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
HHV | Hash or signature representing header-level similarity (Header Hash Value). | String | web_scan | =, != | FALSE | FALSE |
hostname | Hostname resolved during the scan. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
html_body_length | Length of HTML body in bytes or characters. | Number | web_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
html_body_murmur3 | Murmur3 hash of the HTML body. | Number | web_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
html_body_sha256 | SHA256 hash of HTML body. | String | web_scan | =, != | FALSE | FALSE |
html_body_similarity | Numerical similarity score comparing HTML body to others. | Number | web_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
html_body_ssdeep | Fuzzy hash (ssdeep) of HTML body. | String | web_scan | =, != | TRUE | FALSE |
htmltitle | Title tag content of the HTML page. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
ip | IP address scanned. | String | web_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
ip.CIDR | IP address represented in CIDR format. | String | web_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
jarm | TLS fingerprint (JARM hash) of the HTTPS service. | String | web_scan | =, != | FALSE | FALSE |
logo_urls | URLs of detected logos or brand images. | String | web_scan | =, != | FALSE | FALSE |
opendirectory | Boolean flag indicating open directory listing was detected. | Boolean | web_scan | =, != | FALSE | FALSE |
opendirectory_ssdeep | Fuzzy hash (ssdeep) for open directory page contents. | String | web_scan | =, != | TRUE | FALSE |
origin_domain | Origin domain from which resources were loaded. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
origin_geoip.as_org | ASN organization name of origin server. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
origin_geoip.asn | Autonomous System Number of origin server. | Number | web_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
origin_geoip.city_name | City of origin server. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
origin_geoip.continent_code | Continent code of origin server. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
origin_geoip.country_code2 | ISO two-letter country code of origin. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
origin_geoip.country_code3 | ISO three-letter country code of origin. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
origin_geoip.country_name | Country name of origin. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
origin_geoip.dma_code | DMA code for origin server. | Number | web_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
origin_geoip.latitude | Latitude coordinate of origin server. | Number | web_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
origin_geoip.location.lat | Nested latitude value of origin. | Number | web_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
origin_geoip.location.lon | Nested longitude value of origin. | Number | web_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
origin_geoip.longitude | Longitude coordinate of origin. | Number | web_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
origin_geoip.postal_code | Postal or ZIP code for origin IP. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
origin_geoip.region_code | Region code for origin IP. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
origin_geoip.region_name | Region name for origin IP. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
origin_geoip.timezone | Timezone of origin IP. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
origin_hostname | Hostname of the origin server. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
origin_ip | IP address of origin server. | String | web_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
origin_path | Path component of origin URL. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
origin_port | Network port used by the origin service. | Number | web_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
origin_scheme | Protocol scheme (e.g., http, https) used by origin. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
origin_url | Full URL of the origin. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
path | Path component of the scanned URL. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
port | Port number used during scan. | Number | web_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
redirect | Boolean flag indicating if an HTTP redirect occurred. | Boolean | web_scan | =, != | FALSE | FALSE |
redirect_count | Number of redirect hops. | Number | web_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
redirect_list | List of intermediate redirect URLs. | String | web_scan | =, != | FALSE | FALSE |
redirect_to_https | True if redirect led to HTTPS version. | Boolean | web_scan | =, != | FALSE | FALSE |
response | HTTP response status code. | Number | web_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
scan_date | Date and time of the scan in ISO format. | Datestring | web_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
scheme | URL scheme used (e.g., http, https). | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
ssl.authority_key_id | Authority key identifier from SSL certificate. | String | web_scan | =, != | FALSE | FALSE |
ssl.CHV | Certificate hash value used for quick identity checks. | String | web_scan | =, != | TRUE | FALSE |
ssl.expired | Indicates whether SSL certificate is expired. | Boolean | web_scan | =, != | FALSE | FALSE |
ssl.issuer.common_name | Common Name of SSL certificate issuer. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
ssl.issuer.country | Country code of certificate issuer. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
ssl.issuer.organization | Organization name of issuer. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
ssl.not_after | SSL certificate expiration date. | Datestring | web_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
ssl.not_before | SSL certificate start date. | Datestring | web_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
ssl.sans | Subject Alternative Names (SANs) from the certificate. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
ssl.sans_count | Count of SAN entries. | Number | web_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
ssl.serial_number | Certificate serial number. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
ssl.SHA1 | SHA1 fingerprint of the certificate. | String | web_scan | =, != | FALSE | FALSE |
ssl.SHA256 | SHA256 fingerprint of the certificate. | String | web_scan | =, != | FALSE | FALSE |
ssl.sigalg | Signature algorithm used in certificate. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
ssl.subject.common_name | Common Name of certificate subject. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
ssl.subject.country | Country code of subject. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
ssl.subject.names | All names listed in subject fields. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
ssl.subject.organization | Organization name in certificate subject. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
ssl.wildcard | Indicates if the certificate includes wildcard domains. | Boolean | web_scan | =, != | FALSE | FALSE |
subdomain | Subdomain portion of the scanned hostname. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
tld | Top-level domain component of the host. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
url | Full URL scanned, including scheme, host, and path. | String | web_scan | =, !=, ~=, !~= | TRUE | TRUE |
Notes
faviconfields refer to .ico files;favicon2fields cover non-.ico formats (e.g., PNG). Websites may have both.Browsers and Web Scanner automatically check for
/favicon.ico,even if it is not referenced in the code.
Examples
Query: favicon_murmur3 = 1234567890 AND datasource = webscan
Finds websites with a specific .ico favicon hash, indicating visual similarity.
Query: ssl.expired = true AND ssl.issuer.organization ~= "Let's Encrypt" AND datasource = webscan
Identifies expired SSL certificates issued by Let's Encrypt for vulnerability assessment.
Query: body_analysis.language = "ru" AND domain ~= "bank*" AND datasource = webscan
Locates Russian-language domains resembling banks, potentially for phishing detection.
Browser Scan
Field Name | Description | Type | Supported Operators | Wildcard | Regex |
|---|---|---|---|---|---|
body_analysis.body_sha256 | SHA-256 hash of the HTML body content, used to detect identical or modified pages. | String | =,!= | FALSE | FALSE |
body_analysis.footer_sha256 | SHA-256 hash of the webpage footer, helps identify templated or reused site structures. | String | =,!= | FALSE | FALSE |
body_analysis.header_sha256 | SHA-256 hash of the header section of a webpage for identifying similar layouts. | String | =,!= | FALSE | FALSE |
body_analysis.ICP_license | Chinese ICP registration number extracted from webpage content, used for compliance tracking. | String | =,!=,~=,!~= | TRUE | TRUE |
body_analysis.js_sha256 | SHA-256 hash of embedded JavaScript resources, used for script fingerprinting. | String | =,!= | TRUE | FALSE |
body_analysis.js_ssdeep | Fuzzy hash (ssdeep) of JavaScript content to detect similar scripts. | String | =,!= | TRUE | FALSE |
body_analysis.language | Language detected from the page content or headers (e.g., English, Chinese, etc.). | String | =,!=,~=,!~= | TRUE | TRUE |
body_analysis.onion | Detected .onion links or references indicating dark web-related content. | String | =,!=,~=,!~= | TRUE | TRUE |
body_analysis.SHV | Silent Push-specific hash value used for internal similarity comparison of site bodies. | String | =,!= | FALSE | FALSE |
datahash | Hash representing the full scan data payload, used for data integrity verification. | String | =,!= | FALSE | FALSE |
domain | Domain name associated with the scanned asset. | String | =,!=,~=,!~= | TRUE | TRUE |
favicon_avg | Average color hash of the favicon image for quick visual fingerprinting. | String | =,!= | FALSE | FALSE |
favicon_murmur3 | Murmur3 hash of the favicon used for favicon-based host correlation. | String | =,!= | FALSE | FALSE |
favicon_md5 | MD5 hash of the favicon file for identifying reused branding assets. | String | =,!= | FALSE | FALSE |
favicon_path | Path of the favicon file (e.g., /favicon.ico) detected during scan. | String | =,!= | FALSE | FALSE |
favicon2_avg | Average color hash for a secondary favicon image if multiple are present. | String | =,!= | FALSE | FALSE |
favicon2_murmur3 | Murmur3 hash of the secondary favicon image. | String | =,!= | FALSE | FALSE |
favicon2_md5 | MD5 hash for the secondary favicon, often used when multiple favicons are hosted. | String | =,!= | FALSE | FALSE |
favicon2_path | Path to the secondary favicon resource on the site. | String | =,!= | FALSE | FALSE |
favicon_urls | List of URLs for all favicon resources discovered during scanning. | String | =,!=,~=,!~= | TRUE | TRUE |
geoip.as_org | Autonomous System (AS) organization name for the host’s IP address. | String | =,!=,~=,!~= | TRUE | TRUE |
geoip.asn | Autonomous System Number associated with the IP. | Number | =,!=,>,>=,<,<= | FALSE | FALSE |
geoip.city_name | City name determined from GeoIP lookup. | String | =,!=,~=,!~= | TRUE | TRUE |
geoip.continent_code | Two-letter code of the continent (e.g., EU, NA, AS). | String | =,!=,~=,!~= | TRUE | TRUE |
geoip.country_code2 | Two-letter ISO country code derived from IP location data. | String | =,!=,~=,!~= | TRUE | TRUE |
geoip.country_code3 | Three-letter ISO country code associated with the IP. | String | =,!=,~=,!~= | TRUE | TRUE |
geoip.country_name | Full country name of the host’s location. | String | =,!=,~=,!~= | TRUE | TRUE |
geoip.dma_code | Designated Market Area code for U.S.-based IPs. | Number | =,!=,>,>=,<,<= | FALSE | FALSE |
geoip.latitude | Latitude coordinate for the GeoIP location. | Number | =,!=,>,>=,<,<= | FALSE | FALSE |
geoip.location.lat | Explicit latitude value from GeoIP database. | Number | =,!=,>,>=,<,<= | FALSE | FALSE |
geoip.location.lon | Explicit longitude value from GeoIP database. | Number | =,!=,>,>=,<,<= | FALSE | FALSE |
geoip.longitude | Longitude coordinate for the GeoIP location. | Number | =,!=,>,>=,<,<= | FALSE | FALSE |
geoip.postal_code | Postal or ZIP code associated with the IP address. | String | =,!=,~=,!~= | TRUE | TRUE |
geoip.region_code | Region or state code from GeoIP location data. | String | =,!=,~=,!~= | TRUE | TRUE |
geoip.region_name | Full region or state name from GeoIP lookup. | String | =,!=,~=,!~= | TRUE | TRUE |
geoip.timezone | Time zone name or offset of the GeoIP location. | String | =,!=,~=,!~= | TRUE | TRUE |
header.cache-control | Cache-Control HTTP header value defining caching policy. | String | =,!=,~=,!~= | TRUE | TRUE |
header.connection | Connection header indicating keep-alive or close behavior. | String | =,!=,~=,!~= | TRUE | TRUE |
header.content-length | Content-Length header value specifying response body size. | Number | =,!=,>,>=,<,<= | FALSE | FALSE |
header.content-type | MIME type of the HTTP response, e.g., text/html or application/json. | String | =,!=,~=,!~= | TRUE | TRUE |
header.etag | ETag value used for content caching and validation. | String | =,!=,~=,!~= | TRUE | TRUE |
header.onion-location | Header field indicating a corresponding .onion service address. | String | =,!=,~=,!~= | TRUE | TRUE |
header.proxy-authenticate | Indicates authentication requirements for a proxy server. | String | =,!=,~=,!~= | TRUE | TRUE |
header.refresh | Refresh header instructing the browser to reload or redirect after a delay. | String | =,!=,~=,!~= | TRUE | TRUE |
header.server | Server software name/version (e.g., nginx, Apache) reported in HTTP headers. | String | =,!=,~=,!~= | TRUE | TRUE |
header.x-havoc | Custom or nonstandard header observed during scanning, potentially indicative of specific frameworks. | String | =,!=,~=,!~= | TRUE | TRUE |
header.x-powered-by | Technology or framework identifier (e.g., PHP/7.4) from the X-Powered-By header. | String | =,!=,~=,!~= | TRUE | TRUE |
HHV | Host Hash Value representing an overall unique fingerprint for the scanned host. | String | =,!= | FALSE | FALSE |
hostname | Fully qualified domain name (FQDN) of the scanned host. | String | =,!=,~=,!~= | TRUE | TRUE |
htmltitle | Title text extracted from the HTML document’s <title> tag. | String | =,!=,~=,!~= | TRUE | TRUE |
ip | IP address of the scanned host. | String | =,!=,>,>=,<,<= | FALSE | FALSE |
ip.CIDR | CIDR notation representing the IP network range of the asset. | String | =,!=,>,>=,<,<= | FALSE | FALSE |
jarm | JARM fingerprint used to identify TLS server implementations and configurations. | String | =,!= | FALSE | FALSE |
logo_urls | URLs of detected logos or branded images on the site. | String | =,!= | FALSE | FALSE |
port | Network port number where the service was identified (e.g., 80, 443). | Number | =,!=,>,>=,<,<= | FALSE | FALSE |
scan_date | Date and time when the web scan was performed. | Datestring | =,!=,>,>=,<,<= | FALSE | FALSE |
scheme | URL scheme used by the service (e.g., http, https). | String | =,!=,~=,!~= | TRUE | TRUE |
ssl.authority_key_id | Identifier of the certificate authority that issued the SSL certificate. | String | =,!= | FALSE | FALSE |
ssl.CHV | Silent Push-specific certificate hash value used for deduplication and comparison. | String | =,!= | TRUE | FALSE |
ssl.expired | Indicates whether the SSL/TLS certificate has expired. | Boolean | =,!= | FALSE | FALSE |
ssl.issuer.common_name | Common Name (CN) of the certificate issuer. | String | =,!=,~=,!~= | TRUE | TRUE |
ssl.issuer.country | Country field from the SSL certificate issuer details. | String | =,!=,~=,!~= | TRUE | TRUE |
ssl.issuer.organization | Organization name of the SSL certificate issuer. | String | =,!=,~=,!~= | TRUE | TRUE |
ssl.not_after | SSL certificate expiration date. | Datestring | =,!=,>,>=,<,<= | FALSE | FALSE |
ssl.not_before | SSL certificate activation (valid from) date. | Datestring | =,!=,>,>=,<,<= | FALSE | FALSE |
ssl.sans | Subject Alternative Names (SANs) listed in the SSL certificate. | String | =,!=,~=,!~= | TRUE | TRUE |
ssl.sans_count | Number of SAN entries present in the SSL certificate. | Number | =,!=,>,>=,<,<= | FALSE | FALSE |
ssl.serial_number | Unique serial number assigned to the SSL certificate. | String | =,!=,~=,!~= | TRUE | TRUE |
ssl.SHA1 | SHA-1 fingerprint of the SSL certificate. | String | =,!= | FALSE | FALSE |
ssl.SHA256 | SHA-256 fingerprint of the SSL certificate. | String | =,!= | FALSE | FALSE |
ssl.sigalg | Signature algorithm used by the SSL certificate (e.g., RSA-SHA256). | String | =,!=,~=,!~= | TRUE | TRUE |
ssl.subject.common_name | Common Name (CN) listed in the SSL subject field. | String | =,!=,~=,!~= | TRUE | TRUE |
ssl.subject.country | Country listed in the SSL subject field. | String | =,!=,~=,!~= | TRUE | TRUE |
ssl.subject.names | All name attributes listed under the SSL subject. | String | =,!=,~=,!~= | TRUE | TRUE |
ssl.subject.organization | Organization listed in the SSL subject field. | String | =,!=,~=,!~= | TRUE | TRUE |
ssl.wildcard | Indicates if the SSL certificate is a wildcard type. | Boolean | =,!= | FALSE | FALSE |
subdomain | Subdomain portion of the scanned hostname. | String | =,!=,~=,!~= | TRUE | TRUE |
tld | Top-level domain (TLD) of the host (e.g., .com, .net). | String | =,!=,~=,!~= | TRUE | TRUE |
url | Full URL of the scanned page after redirects. | String | =,!=,~=,!~= | TRUE | TRUE |
Examples
Query: body_analysis.js_ssdeep = "3:a+b:c+d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:w:x:y:z" AND datasource = browserscan
Detects websites with similar JavaScript code for malware script tracking.
Query: favicon_md5 = abc123def456 AND geoip.country_code2 = "US" AND datasource = browserscan
Finds U.S.-hosted sites using a specific favicon MD5 hash for brand impersonation checks.
Query: ssl.sans_count > 10 AND ssl.expired = false AND datasource = browserscan
Locates sites with multi-SAN certificates that are still valid, useful for infrastructure mapping.
Web Resources
Resource data fields enable analysis of downloaded files and external resources from webpages, including hashes for integrity and similarity detection, HTTP headers for metadata, and structural details for identification of malicious or duplicate assets.
Field Name | Description | Type | Primary Source | Supported Operators | Wildcard? | Regex? |
|---|---|---|---|---|---|---|
avg | Average hash value for perceptual image similarity detection (useful for identifying visually similar assets). | String | resource_scan | =, != | FALSE | FALSE |
datahash | Unique identifier hash derived from the resource data for quick reference and deduplication. | String | resource_scan | =, != | FALSE | FALSE |
external | Boolean flag indicating whether the resource is hosted externally to the primary domain. | Boolean | resource_scan | =, != | FALSE | FALSE |
filename | The basename of the resource file, extracted from the URL. | String | resource_scan | =, !=, >, >=, <, <= | TRUE | TRUE |
fileparameter | Query parameters associated with the file URL for version or configuration tracking. | String | resource_scan | =, !=, >, >=, <, <= | TRUE | TRUE |
filesize | Size of the resource in bytes, for filtering large or suspicious downloads. | Number | resource_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
header.content-encoding | HTTP header specifying the content encoding (e.g., gzip), indicating compression. | String | resource_scan | =, !=, ~=, !~= | TRUE | TRUE |
header.content-length | HTTP header value for the length of the content in bytes. | Number | resource_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
header.content-type | MIME type from the HTTP header, for categorizing resource types (e.g., image/jpeg). | String | resource_scan | =, !=, ~=, !~= | TRUE | TRUE |
header.etag | HTTP ETag header for resource versioning and caching validation. | String | resource_scan | =, !=, ~=, !~= | TRUE | TRUE |
header.last-modified | HTTP header indicating the last modification date of the resource. | String | resource_scan | =, !=, ~=, !~= | FALSE | FALSE |
header.server | HTTP Server header revealing the web server software and version. | String | resource_scan | =, !=, ~=, !~= | TRUE | TRUE |
hostname | The hostname portion of the resource URL. | String | resource_scan | =, !=, ~=, !~= | TRUE | TRUE |
md5 | MD5 cryptographic hash of the resource content for integrity checks. | String | resource_scan | =, != | FALSE | FALSE |
murmur3 | Murmur3 non-cryptographic hash value for fast similarity comparisons. | Number | resource_scan | =, != | FALSE | FALSE |
path | The path component of the resource URL. | String | resource_scan | =, !=, ~=, !~= | TRUE | TRUE |
port | The port number used for the resource request. | Number | resource_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
resource_url | The full URL of the downloaded resource. | String | resource_scan | =, !=, ~=, !~= | TRUE | TRUE |
response | HTTP response status code for the resource fetch. | Number | resource_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
scan_date | The timestamp when the resource was scanned. | Datestring | resource_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
sha256 | SHA-256 cryptographic hash of the resource content for secure verification. | String | resource_scan | =, != | FALSE | FALSE |
ssdeep | SSDeep fuzzy hash for detecting similar but modified files. | String | resource_scan | =, != | FALSE | FALSE |
Examples
Query: sha256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" AND external = true AND datasource = resourcescan
Locates external resources matching a specific SHA-256 hash, useful for tracking leaked files.
Query: header.content-type ~= "image/*" AND filesize > 1000000 AND datasource = resourcescan
Finds large image resources for bandwidth or storage analysis.
Query: ssdeep = "3:a+b:c+d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:w:x:y:z" AND hostname ~= "*.google.com" AND datasource = resourcescan
Detects similar files hosted on Google domains for CDN abuse checks.
Domain Search
Domain intelligence fields provide insights into registration history, network infrastructure, certificate details, and changes in DNS configuration, aiding in threat hunting and domain reputation assessment.
Field Name | Description | Type | Primary Source | Supported Operators | Wildcard? | Regex? |
|---|---|---|---|---|---|---|
a_first_seen | The earliest observed date for Autonomous System Number (ASN) activity associated with the domain. | Datestring | domain_intel | >=, <= | FALSE | FALSE |
a_last_seen | The most recent observed date for ASN activity linked to the domain. | Datestring | domain_intel | >=, <= | FALSE | FALSE |
asn | The primary Autonomous System Number (ASN) for the domain's hosting network. | Number | domain_intel | = | FALSE | FALSE |
asn_diversity | Measure of variety in ASNs observed across the domain's infrastructure. | Number | domain_intel | =, >=, <= | FALSE | FALSE |
asn_diversity_max | The maximum recorded ASN diversity value over time. | Number | domain_intel | = | FALSE | FALSE |
asn_diversity_min | The minimum recorded ASN diversity value over time. | Number | domain_intel | = | FALSE | FALSE |
asn_match | Count of matching ASNs between the domain and reference sets. | Number | domain_intel | = | FALSE | FALSE |
asn_match_max | The highest number of ASN matches observed. | Number | domain_intel | = | FALSE | FALSE |
asn_match_min | The lowest number of ASN matches observed. | Number | domain_intel | = | FALSE | FALSE |
asname | The name of the Autonomous System providing network services to the domain. | String | domain_intel | = | FALSE | TRUE |
asname_contains | Partial match filter for substrings within the ASN name. | String | domain_intel | = | FALSE | TRUE |
asname_starts_with | Filter for ASN names beginning with a specified prefix. | String | domain_intel | = | FALSE | TRUE |
asnum | Numeric identifier for the Autonomous System Number. | Number | domain_intel | =, != | FALSE | TRUE |
cert_date | Issuance or expiration date of the SSL/TLS certificate for the domain. | Datestring | domain_intel | >=, <= | FALSE | FALSE |
cert_date_max | The latest certificate date recorded for the domain. | Datestring | domain_intel | = | FALSE | FALSE |
cert_date_min | The earliest certificate date recorded for the domain. | Datestring | domain_intel | = | FALSE | FALSE |
cert_issuer | The Certificate Authority (CA) that issued the domain's SSL/TLS certificate. | String | domain_intel | = | TRUE | FALSE |
domain | The registered domain name for querying and matching. | String | domain_intel | =, ~= | TRUE | FALSE |
domain_regex | Regular expression pattern for advanced domain name matching. | String | domain_intel | ~= | FALSE | TRUE |
Email address associated with the domain registrant or admin contact. | String | domain_intel | = | FALSE | FALSE | |
first_seen_after | Filter for domains first observed after a specific date. | Datestring | domain_intel | = | FALSE | FALSE |
first_seen_before | Filter for domains first observed before a specific date. | Datestring | domain_intel | = | FALSE | FALSE |
first_seen_max | The latest first-seen date across observations. | Datestring | domain_intel | = | FALSE | FALSE |
first_seen_max_mode | Mode or method used to calculate the maximum first-seen date. | String | domain_intel | = | FALSE | FALSE |
first_seen_min | The earliest first-seen date across observations. | Datestring | domain_intel | = | FALSE | FALSE |
first_seen_min_mode | Mode or method used to calculate the minimum first-seen date. | String | domain_intel | = | FALSE | FALSE |
ip_diversity_all | Overall IP address diversity metric for the domain's endpoints. | Number | domain_intel | =, >=, <= | FALSE | FALSE |
ip_diversity_all_max | Maximum IP diversity value recorded. | Number | domain_intel | = | FALSE | FALSE |
ip_diversity_all_min | Minimum IP diversity value recorded. | Number | domain_intel | = | FALSE | FALSE |
ip_diversity_groups | IP diversity calculated within grouped endpoints or subdomains. | Number | domain_intel | =, >=, <= | FALSE | FALSE |
ip_diversity_groups_max | Maximum grouped IP diversity value. | Number | domain_intel | = | FALSE | FALSE |
ip_diversity_groups_min | Minimum grouped IP diversity value. | Number | domain_intel | = | FALSE | FALSE |
last_seen_max | The latest last-seen date across observations. | Datestring | domain_intel | = | FALSE | FALSE |
last_seen_max_mode | Mode or method for calculating the maximum last-seen date. | String | domain_intel | = | FALSE | FALSE |
last_seen_min | The earliest last-seen date across observations. | Datestring | domain_intel | = | FALSE | FALSE |
last_seen_min_mode | Mode or method for calculating the minimum last-seen date. | String | domain_intel | = | FALSE | FALSE |
mxname | The hostname of the Mail Exchange (MX) server for email routing. | String | domain_intel | = | TRUE | FALSE |
network | Network range or CIDR block associated with the domain's IP. | String | domain_intel | = | FALSE | TRUE |
ns_change_date | Date when nameserver changes were detected for the domain. | Datestring | domain_intel | >=, <= | FALSE | FALSE |
ns_first_seen | First observation date of the current nameserver configuration. | Datestring | domain_intel | >=, <= | FALSE | FALSE |
nschange_date_after | Filter for nameserver changes occurring after a specific date. | Datestring | domain_intel | = | FALSE | FALSE |
nschange_date_before | Filter for nameserver changes occurring before a specific date. | Datestring | domain_intel | = | FALSE | FALSE |
nschange_from_ns | The previous nameserver that was changed from during a DNS update. | String | domain_intel | = | TRUE | FALSE |
nschange_to_ns | The new nameserver that was changed to during a DNS update. | String | domain_intel | = | TRUE | FALSE |
nsname | The hostname of the Name Server (NS) record for DNS resolution. | String | domain_intel | = | TRUE | FALSE |
registrar | The domain registrar responsible for the domain's registration. | String | domain_intel | = | FALSE | FALSE |
timeline | Chronological summary of key events in the domain's history. | String | domain_intel | = | FALSE | FALSE |
whois_date | Date of the most recent WHOIS record update or query. | Datestring | domain_intel | >= | FALSE | FALSE |
whois_date_after | Filter for WHOIS updates occurring after a specific date. | Datestring | domain_intel | = | FALSE | FALSE |
Examples
Query: asn_diversity > 5 AND domain = example.com AND datasource = domainintel
Assesses infrastructure diversity for a specific domain to detect fluxing.
Query: cert_issuer = "DigiCert Inc" AND first_seen_after = 2025-01-01 AND datasource = domainintel
Finds domains with recent first sightings using DigiCert certificates for new registrations.
Query: ns_change_date >= 2025-06-01 AND registrar ~= "GoDaddy*" AND datasource = domainintel
Tracks recent nameserver changes on GoDaddy-registered domains for potential hijacking.
PADNS
PADNS fields facilitate querying historical Passive DNS (PDNS) resolution data, enabling timeline analysis of domain-to-IP mappings, detection of fluxing infrastructure, and tracking of DNS changes over time for threat intelligence.
Field Name | Description | Type | Primary Source | Supported Operators | Wildcard? | Regex? |
|---|---|---|---|---|---|---|
answer | The resolved value from the DNS record, such as an IP address for A/AAAA records or hostname for reverse lookups. | String | padns | =, ~= | TRUE | TRUE |
as_of | The specific timestamp at which the DNS resolution was recorded or considered valid. | Datestring | padns | = | FALSE | FALSE |
first_seen | The earliest date this DNS record (query-answer pair) was observed in passive collections. | Datestring | padns | >=, <= | FALSE | FALSE |
first_seen_after | Filter to include only records where the first observation occurred after the specified date. | Datestring | padns | = | FALSE | FALSE |
first_seen_before | Filter to include only records where the first observation occurred before the specified date. | Datestring | padns | = | FALSE | FALSE |
last_seen | The most recent date this DNS record was observed in passive collections. | Datestring | padns | >=, <= | FALSE | FALSE |
last_seen_after | Filter to include only records where the last observation occurred after the specified date. | Datestring | padns | = | FALSE | FALSE |
last_seen_before | Filter to include only records where the last observation occurred before the specified date. | Datestring | padns | = | FALSE | FALSE |
query | The domain name or hostname that was queried in the DNS resolution. | String | padns | =, ~= | TRUE | TRUE |
type | The DNS record type, such as A, AAAA, MX, or CNAME, indicating the nature of the resolution. | String | padns | = | FALSE | FALSE |
Examples
Query: query = malicious.com AND type = A AND first_seen >= 2025-01-01 AND datasource = padns
Retrieves A record resolutions for a suspicious domain post a specific date.
Query: answer = 192.0.2.1 AND type ~= "A*" AND last_seen_after = 2025-07-01 AND datasource = padns
Tracks recent A/AAAA resolutions pointing to a specific IP for flux detection.
Query: query ~= "*.bank.com" AND type = MX AND datasource = padns
Finds MX records for bank subdomains to map email infrastructure.
Dark Web Scan/Torscan
Field Name | Description | Type | Supported Operators | Wildcard? | Regex? |
|---|---|---|---|---|---|
address | The full network address or URL scanned. | String | =,!=,~=,!~= | TRUE | TRUE |
body_analysis.adsense | Detected Google AdSense identifier within the page content. | String | =,!= | FALSE | FALSE |
body_analysis.body_sha256 | SHA256 hash of the page’s full HTML body. | String | =,!= | FALSE | FALSE |
body_analysis.footer_sha256 | SHA256 hash of the HTML footer portion of the webpage. | String | =,!= | FALSE | FALSE |
body_analysis.google-adstag | Detected Google Ads tag snippet within the HTML source. | String | =,!= | FALSE | FALSE |
body_analysis.google-GA4 | Detected Google Analytics 4 tracking ID in the page. | String | =,!= | FALSE | FALSE |
body_analysis.google-UA | Detected Universal Analytics tracking ID in the page. | String | =,!= | FALSE | FALSE |
body_analysis.header_sha256 | SHA256 hash of the HTML header portion of the webpage. | String | =,!= | FALSE | FALSE |
body_analysis.js_sha256 | SHA256 hash of embedded JavaScript code. | String | =,!= | TRUE | FALSE |
body_analysis.js_ssdeep | SSDEEP fuzzy hash of JavaScript code for similarity comparison. | String | =,!= | TRUE | FALSE |
body_analysis.language | Language detected from meta tags or text content. | String | =,!=,~=,!~= | TRUE | TRUE |
body_analysis.onion | Identifies if .onion links or Tor indicators are present on the site. | String | =,!=,~=,!~= | TRUE | TRUE |
body_analysis.SHV | Detected social handle verification identifiers or hash values. | String | =,!= | FALSE | FALSE |
body_analysis.telegram | Presence of Telegram contact links or handles within the content. | String | =,!= | FALSE | FALSE |
datahash | Hash representation of the entire scan response for deduplication. | String | =,!= | FALSE | FALSE |
domain | Domain name associated with the scanned URL. | String | =,!=,~=,!~= | TRUE | TRUE |
favicon_avg | Average color or pixel hash value from the site’s favicon. | String | =,!= | FALSE | FALSE |
favicon_md5 | MD5 hash of the favicon image for quick fingerprinting. | String | =,!= | FALSE | FALSE |
favicon_murmur3 | Murmur3 hash of the favicon image for similarity detection. | String | =,!= | FALSE | FALSE |
favicon_path | Path to the favicon resource as extracted from the HTML. | String | =,!= | FALSE | FALSE |
favicon2_avg | Average color hash of a secondary favicon found on the site. | String | =,!= | FALSE | FALSE |
favicon2_md5 | MD5 hash of a secondary favicon resource. | String | =,!= | FALSE | FALSE |
favicon2_murmur3 | Murmur3 hash of a secondary favicon image. | String | =,!= | FALSE | FALSE |
favicon2_path | File path to a secondary favicon resource. | String | =,!= | FALSE | FALSE |
file | Indicates if the scanned object is a downloadable file instead of HTML. | Boolean | =,!= | FALSE | FALSE |
file_sha256 | SHA256 hash of a downloaded file from the scan. | String | =,!= | FALSE | FALSE |
header.cache-control | Value of the Cache-Control header specifying caching behavior. | String | =,!=,~=,!~= | TRUE | TRUE |
header.connection | Value of the Connection header (e.g., keep-alive, close). | String | =,!=,~=,!~= | TRUE | TRUE |
header.content-length | Content length header specifying response body size in bytes. | Number | =,!=,>,>=,<,<= | FALSE | FALSE |
header.content-type | Indicates MIME type of the HTTP response (e.g., text/html). | String | =,!=,~=,!~= | TRUE | TRUE |
header.etag | ETag value identifying specific content versions for caching. | String | =,!=,~=,!~= | TRUE | TRUE |
header.refresh | Refresh or redirect instruction header if present. | String | =,!=,~=,!~= | TRUE | TRUE |
header.server | Server header value identifying web server software. | String | =,!=,~=,!~= | TRUE | TRUE |
header.x-powered-by | X-Powered-By header exposing backend technology details. | String | =,!=,~=,!~= | TRUE | TRUE |
HHV | HTML hash version or signature identifying template similarity. | String | =,!=,~=,!~= | TRUE | TRUE |
hostname | Resolved hostname of the scanned endpoint. | String | =,!=,>,>=,<,<= | FALSE | FALSE |
html_body_murmur3 | Murmur3 hash of the complete HTML body. | Number | =,!=,>,>=,<,<= | FALSE | FALSE |
html_body_sha256 | SHA256 hash of the complete HTML body for uniqueness. | String | =,!= | FALSE | FALSE |
html_body_ssdeep | SSDEEP fuzzy hash of HTML body content for similarity detection. | String | =,!= | TRUE | FALSE |
htmltitle | Title tag text extracted from the HTML document. | String | =,!=,~=,!~= | TRUE | TRUE |
logo_urls | URLs of images identified as logos on the webpage. | String | =,!= | FALSE | FALSE |
opendirectory | Indicates whether an open directory listing was detected. | Boolean | =,!= | FALSE | FALSE |
origin_hostname | Hostname of the original resource if redirected or proxied. | String | =,!=,~=,!~= | TRUE | TRUE |
origin_ip | IP address of the original source server. | String | =,!=,>,>=,<,<= | FALSE | FALSE |
origin_path | Original path portion of the URL before redirects. | String | =,!=,~=,!~= | TRUE | TRUE |
origin_port | Port number used by the original resource. | String | =,!=,>,>=,<,<= | FALSE | FALSE |
origin_scheme | Protocol scheme (HTTP/HTTPS) of the original resource. | String | =,!=,~=,!~= | TRUE | TRUE |
origin_url | Full URL of the original scanned resource. | String | =,!=,~=,!~= | TRUE | TRUE |
path | Path portion of the current request URL. | String | =,!=,~=,!~= | TRUE | TRUE |
port | TCP port used in the scan request. | Number | =,!=,>,>=,<,<= | FALSE | FALSE |
redirect | Indicates if the page performed a redirect during scan. | Boolean | =,!= | FALSE | FALSE |
redirect_count | Number of redirects followed to reach final destination. | Number | =,!=,>,>=,<,<= | FALSE | FALSE |
redirect_list | List of all redirect URLs encountered. | String | =,!= | FALSE | FALSE |
redirect_to_https | Boolean indicating redirect from HTTP to HTTPS. | Boolean | =,!= | FALSE | FALSE |
response | HTTP response status code (e.g., 200, 404, 500). | Number | =,!=,>,>=,<,<= | FALSE | FALSE |
scan_date | Date when the web scan was performed. | Datestring | =,!=,>,>=,<,<= | FALSE | FALSE |
scheme | URL scheme (HTTP or HTTPS) of the scanned page. | String | =,!=,~=,!~= | TRUE | TRUE |
ssl.authority_key_id | Authority Key Identifier from the SSL certificate. | String | =,!= | FALSE | FALSE |
ssl.chv | Certificate hash value for unique identification. | String | =,!= | TRUE | FALSE |
ssl.expired | Boolean indicating if the SSL certificate is expired. | Boolean | =,!= | FALSE | FALSE |
ssl.issuer.common_name | Common name of the certificate issuer. | String | =,!=,~=,!~= | TRUE | TRUE |
ssl.issuer.country | Country of the certificate issuer organization. | String | =,!=,~=,!~= | TRUE | TRUE |
ssl.issuer.organization | Organization name of the certificate issuer. | String | =,!=,~=,!~= | TRUE | TRUE |
ssl.not_after | Expiration date of the SSL certificate. | Datestring | =,!=,>,>=,<,<= | FALSE | FALSE |
ssl.not_before | Activation date of the SSL certificate. | Datestring | =,!=,>,>=,<,<= | FALSE | FALSE |
ssl.sans | Subject Alternative Names (SANs) listed in the certificate. | String | =,!=,~=,!~= | TRUE | TRUE |
ssl.sans_count | Number of SAN entries in the SSL certificate. | Number | =,!=,>,>=,<,<= | FALSE | FALSE |
ssl.serial_number | Unique serial number of the SSL certificate. | String | =,!=,~=,!~= | TRUE | TRUE |
ssl.SHA1 | SHA1 fingerprint of the SSL certificate. | String | =,!= | FALSE | FALSE |
ssl.SHA256 | SHA256 fingerprint of the SSL certificate. | String | =,!= | FALSE | FALSE |
ssl.sigalg | Signature algorithm used by the SSL certificate. | String | =,!=,~=,!~= | TRUE | TRUE |
ssl.subject.common_name | Common Name (CN) of the SSL subject. | String | =,!=,~=,!~= | TRUE | TRUE |
ssl.subject.country | Country listed in the SSL subject field. | String | =,!=,~=,!~= | TRUE | TRUE |
ssl.subject.organization | Organization name listed in the SSL subject field. | String | =,!=,~=,!~= | TRUE | TRUE |
ssl.valid | Boolean indicating if the SSL certificate is valid at scan time. | Boolean | =,!= | FALSE | FALSE |
status | Overall scan status (success, timeout, failure). | String | =,!= | FALSE | FALSE |
timestamp | Exact UTC timestamp when the scan was executed. | Datestring | =,!=,>,>=,<,<= | FALSE | FALSE |
url | Full final URL reached after redirects. | String | =,!=,~=,!~= | TRUE | TRUE |
Examples
Query: body_analysis.telegram ~= "@darkmarket" AND datasource = torscan
Searches for .onion sites mentioning specific Telegram handles for dark web marketplace tracking.
Query: domain = hiddenwiki.onion AND html_body_ssdeep = "3:a+b:c+d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:w:x:y:z" AND datasource = torscan
Finds similar HTML content on a known .onion site for clone detection.
Query: ssl.expired = true AND scan_date >= 2025-09-01 AND datasource = torscan
Identifies recently scanned expired SSL certs on Tor sites for security audits.
Services
Service scan fields capture details from network service interactions, including banners for software identification, cryptographic fingerprints for authentication verification, geolocation of hosting infrastructure, and SSL/TLS certificate attributes for security analysis and vulnerability assessment.
Field Name | Description | Type | Primary Source | Supported Operators | Wildcard? | Regex? |
|---|---|---|---|---|---|---|
banner | The raw banner text returned by the service, often containing software name and version for fingerprinting. | String | service_scan | =, !=, ~=, !~= | TRUE | TRUE |
datahash | Unique hash identifier for the service scan data to enable deduplication and quick lookups. | String | service_scan | =, != | FALSE | FALSE |
fingerprints.ECDSA | Fingerprint of the ECDSA public key used by the service for cryptographic verification. | String | service_scan | =, != | FALSE | FALSE |
fingerprints.ED25519 | Fingerprint of the ED25519 public key employed in the service's authentication mechanisms. | String | service_scan | =, != | FALSE | FALSE |
fingerprints.RSA | Fingerprint of the RSA public key utilized by the service for secure connections. | String | service_scan | =, != | FALSE | FALSE |
geoip.asn | Autonomous System Number (ASN) of the IP address hosting the service. | Number | service_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
geoip.as_org | Name of the organization owning the ASN for the service's hosting network. | String | service_scan | =, !=, ~=, !~= | TRUE | TRUE |
ip | The IP address on which the service is listening and responding. | String | service_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
port | The network port number associated with the scanned service. | Number | service_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
scan_date | Timestamp when the service scan was performed. | Datestring | service_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
ssl.authority_key_id | Key identifier for the certificate authority's public key in the SSL chain. | String | service_scan | =, != | FALSE | FALSE |
ssl.CHV | Certificate Hash Value (CHV) for fuzzy matching of similar SSL certificates. | String | service_scan | =, != | TRUE | FALSE |
ssl.expired | Boolean indicator if the SSL certificate has expired at the time of scan. | Boolean | service_scan | =, != | FALSE | FALSE |
ssl.issuer.common_name | Common Name (CN) of the issuing certificate authority for the SSL certificate. | String | service_scan | =, !=, ~=, !~= | TRUE | TRUE |
ssl.issuer.country | Country code of the organization issuing the SSL certificate. | String | service_scan | =, !=, ~=, !~= | TRUE | TRUE |
ssl.issuer.organization | Organization name of the certificate issuer. | String | service_scan | =, !=, ~=, !~= | TRUE | TRUE |
ssl.not_after | Expiration date of the SSL certificate (not after this date). | Datestring | service_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
ssl.not_before | Issuance date of the SSL certificate (valid from this date). | Datestring | service_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
ssl.sans | Subject Alternative Names (SANs) listed in the SSL certificate. | String | service_scan | =, !=, ~=, !~= | TRUE | TRUE |
ssl.sans_count | Number of Subject Alternative Names in the SSL certificate. | Number | service_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
ssl.serial_number | Serial number uniquely identifying the SSL certificate. | String | service_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
ssl.SHA1 | SHA-1 hash of the SSL certificate for legacy compatibility checks. | String | service_scan | =, != | FALSE | FALSE |
ssl.SHA256 | SHA-256 hash of the SSL certificate for secure fingerprinting. | String | service_scan | =, != | FALSE | FALSE |
ssl.sigalg | Signature algorithm used in the SSL certificate (e.g., sha256WithRSAEncryption). | String | service_scan | =, !=, >, >=, <, <= | FALSE | FALSE |
ssl.subject.common_name | Common Name (CN) in the subject field of the SSL certificate. | String | service_scan | =, !=, ~=, !~= | TRUE | TRUE |
ssl.subject.country | Country code in the subject field of the SSL certificate. | String | service_scan | =, !=, ~=, !~= | TRUE | TRUE |
ssl.subject.names | All names listed in the subject field of the SSL certificate. | String | service_scan | =, !=, ~=, !~= | TRUE | TRUE |
ssl.subject.organization | Organization name in the subject field of the SSL certificate. | String | service_scan | =, !=, ~=, !~= | TRUE | TRUE |
ssl.wilcard | Boolean | service_scan | =, != | FALSE | FALSE |
Examples
Query: banner ~= "OpenSSH*7.4*" AND port = 22 AND datasource = services
Identifies outdated OpenSSH versions on SSH ports for vulnerability scanning.
Query: fingerprints.RSA = "selfsigned" AND ssl.expired = false AND datasource = services
Detects non-expired self-signed RSA keys on services for internal network assessment.
Query: geoip.as_org ~= "Amazon*" AND port = 443 AND datasource = services
Maps AWS-hosted HTTPS services for cloud exposure analysis.
Services and Open Directory Data
For non-HTTP services and directories: Focus on banners, fingerprints, and metadata for port scanning or file exposure analysis.
Services Fields: banner (service banner, String, services); fingerprints.ECDSA/ED25519/RSA (public key fingerprints, String, services).
Example:
fingerprints.RSA = *selfsigned* AND port = 443– Detects self-signed keys on common ports.
Open Directory Fields: dir (is directory, Boolean, opendirectory); last_modified (file mod date, Datestring, opendirectory); name (file/dir name, String, opendirectory); size (filesize in bytes, Integer, opendirectory).
Example:
dir = true AND size > 1000000– Finds large exposed directories.
Scan History and Failure Data
For troubleshooting scans: Logs success/failure with reasons.
History Fields: datahash (scan hash, String, webscanhistory); full overlap with origin/redirect for tracked scans.
Example:
scan_date > 2025-01-01 AND datasource = webscanhistory– Reviews recent successful scans.
Failure Fields: reason (failure reason, String, webscanfailure).
Example:
reason = "timeout" AND ip = *– Analyzes timeout-prone IPs.
Open Directory
Open Directory fields detail discovered open directory listings on web servers, including directory contents, file metadata, and network attributes for vulnerability assessment, content enumeration, and exposure analysis in security audits.
Field Name | Description | Type | Primary Source | Supported Operators | Wildcard? | Regex? |
|---|---|---|---|---|---|---|
dir | Boolean flag indicating whether the path is an open directory listing (e.g., Apache autoindex enabled). | Boolean | opendirectory | =, != | FALSE | FALSE |
geoip.asn | Autonomous System Number (ASN) associated with the IP hosting the open directory. | Number | opendirectory | =, !=, >, >=, <, <= | FALSE | FALSE |
geoip.as_org | Name of the organization owning the ASN for the server hosting the open directory. | String | opendirectory | =, !=, ~=, !~= | TRUE | TRUE |
hostname | The hostname of the server where the open directory was discovered. | String | opendirectory | =, !=, ~=, !~= | TRUE | TRUE |
ip | The IP address of the server exposing the open directory listing. | String | opendirectory | =, !=, >, >=, <, <= | FALSE | FALSE |
last modified | The last modification timestamp of the directory or its contents, extracted from server headers. | Datestring | opendirectory | =, !=, >, >=, <, <= | FALSE | FALSE |
name | The name of a file or subdirectory listed within the open directory. | String | opendirectory | =, !=, >, >=, <, <= | FALSE | FALSE |
port | The port number on which the open directory service is accessible. | Number | opendirectory | =, !=, >, >=, <, <= | FALSE | FALSE |
scan_date | The date and time when the open directory was scanned and discovered. | Datestring | opendirectory | =, !=, >, >=, <, <= | FALSE | FALSE |
scheme | The protocol scheme (e.g., http or https) used to access the open directory. | String | opendirectory | =, !=, ~=, !~= | TRUE | TRUE |
sha256 | SHA-256 hash of the directory listing content for integrity and duplication checks. | String | opendirectory | =, != | FALSE | FALSE |
size | The size in bytes of a file within the open directory listing. | Number | opendirectory | =, !=, >, >=, <, <= | FALSE | FALSE |
Examples
Query: dir = true AND size > 1000000 AND datasource = opendirectory
Finds large exposed directories for data leak risk assessment.
Query: name = "backup.zip" AND last modified >= 2025-08-01 AND datasource = opendirectory
Locates recently modified backup files in open directories for exposure hunting.
Query: hostname ~= "*.dev" AND geoip.country_code2 = "US" AND datasource = opendirectory
Maps U.S.-based development subdomains with open directories for internal vuln checks.
Web Scan History
Web Scan History fields log metadata from past web scans, enabling tracking of scan timelines, domain evolutions, and infrastructure changes for auditing, compliance, and historical threat correlation.
Field Name | Description | Type | Primary Source | Supported Operators | Wildcard? | Regex? |
|---|---|---|---|---|---|---|
datahash | Unique hash identifier for the web scan history record to facilitate deduplication and reference. | String | webscan_history | =, != | FALSE | FALSE |
domain | The domain name targeted in the historical web scan. | String | webscan_history | =, !=, ~=, !~= | TRUE | TRUE |
hostname | The specific hostname resolved and scanned in the web history entry. | String | webscan_history | =, !=, ~=, !~= | TRUE | TRUE |
ip | The IP address associated with the scanned hostname at the time of the web scan. | String | webscan_history | =, !=, >, >=, <, <= | FALSE | FALSE |
origin_url | The full originating URL that initiated or was scanned in the historical record. | String | webscan_history | =, !=, ~=, !~= | TRUE | TRUE |
scan_date | The timestamp when the web scan was executed and recorded in history. | Datestring | webscan_history | =, !=, >, >=, <, <= | FALSE | FALSE |
scheme | The protocol scheme (e.g., http or https) used during the historical web scan. | String | webscan_history | =, !=, ~=, !~= | TRUE | TRUE |
Examples
Query: scan_date > 2025-01-01 AND datasource = webscanhistory
Reviews recent successful scans for trend analysis.
Query: domain = example.com AND ip != "192.0.2.1" AND datasource = webscanhistory
Tracks IP changes for a domain over time in scan history.
Query: origin_url ~= "https://api.*" AND scheme = https AND datasource = webscanhistory
Examines historical scans of API endpoints with HTTPS.
Web Scan Failure
Web Scan Failure fields record details of unsuccessful web scans, capturing failure reasons, target identifiers, and timestamps to aid in troubleshooting scan errors, infrastructure issues, and retry prioritization in monitoring workflows.
Field Name | Description | Type | Primary Source | Supported Operators | Wildcard? | Regex? |
|---|---|---|---|---|---|---|
domain | The domain name that was targeted but failed during the web scan attempt. | String | webscan_failure | =, !=, ~=, !~= | TRUE | TRUE |
ip | The IP address associated with the failed web scan target. | String | webscan_failure | =, !=, >, >=, <, <= | FALSE | FALSE |
port | The port number used in the failed web scan connection attempt. | Number | webscan_failure | =, !=, >, >=, <, <= | FALSE | FALSE |
reason | The specific error message or code explaining why the web scan failed (e.g., timeout, connection refused). | String | webscan_failure | =, !=, ~=, !~= | TRUE | TRUE |
scan_date | The timestamp when the failed web scan was attempted. | Datestring | webscan_failure | =, !=, >, >=, <, <= | FALSE | FALSE |
scheme | The protocol scheme (e.g., http or https) attempted in the failed scan. | String | webscan_failure | =, !=, ~=, !~= | TRUE | TRUE |
url | The full URL that resulted in the scan failure. | String | webscan_failure | =, !=, ~=, !~= | TRUE | TRUE |
Examples
Query: reason = "timeout" AND datasource = webscanfailure
Analyzes timeout-prone scans for network issues.
Query: ip = 192.0.2.1 AND scheme = https AND port = 443 AND datasource = webscanfailure
Investigates HTTPS failures on a specific IP and port.
Query: domain ~= "*.onion" AND scan_date >= 2025-10-01 AND datasource = webscanfailure
Reviews recent failures on .onion domains for Tor connectivity problems.
WHOIS
WHOIS fields extract registrant contact information, registration timelines, and nameserver details from domain WHOIS records, supporting domain ownership verification, abuse reporting, and lifecycle analysis in cybersecurity investigations.
Field Name | Description | Type | Primary Source | Supported Operators | Wildcard? | Regex? |
|---|---|---|---|---|---|---|
address | The street address of the domain registrant or administrative contact from the WHOIS record. | String | whois | =, != | TRUE | FALSE |
city | The city location associated with the domain registrant's address. | String | whois | =, !=, ~=, !~= | TRUE | TRUE |
country | The country code or name indicating the registrant's geographic location. | String | whois | =, !=, ~=, !~= | TRUE | TRUE |
created | The creation date when the domain was first registered. | Datestring | whois | =, !=, >, >=, <, <= | FALSE | FALSE |
domain | The domain name queried in the WHOIS record. | String | whois | =, !=, ~=, !~= | TRUE | TRUE |
The email address of the registrant, technical, or administrative contact. | String | whois | =, !=, ~=, !~= | TRUE | FALSE | |
expires | The expiration date when the domain registration is set to end. | Datestring | whois | =, !=, >, >=, <, <= | FALSE | FALSE |
name | The full name of the individual or entity registered as the domain owner. | String | whois | =, !=, ~=, !~= | TRUE | TRUE |
nameserver | The hostname of a nameserver delegated for the domain's DNS resolution. | String | whois | =, != | TRUE | FALSE |
nshash | A hash value representing the configuration of the domain's nameservers for change detection. | String | whois | =, != | FALSE | FALSE |
organization | The name of the organization or company associated with the domain registrant. | String | whois | =, !=, ~=, !~= | TRUE | TRUE |
registrar | The domain registrar company that handles the registration and renewal. | String | whois | =, !=, ~=, !~= | TRUE | TRUE |
state | The state or province in the registrant's address. | String | whois | =, !=, ~=, !~= | TRUE | TRUE |
updated | The last update date of the WHOIS record. | Datestring | whois | =, !=, >, >=, <, <= | FALSE | FALSE |
zipcode | The postal or ZIP code from the registrant's address. | String | whois | =, !=, ~=, !~= | TRUE | TRUE |
scan_date | The timestamp when the WHOIS query was performed. | Datestring | whois | =, !=, >, >=, <, <= | FALSE | FALSE |
Examples
Query: email ~= "*@example.com" AND created > 2025-01-01 AND datasource = whois
Finds recently created domains with emails from a specific organization.
Query: registrar = "GoDaddy.com" AND expires < 2025-12-31 AND datasource = whois
Lists GoDaddy domains expiring soon for renewal monitoring.
Query: country = "RU" AND organization ~= "Private" AND datasource = whois
Identifies privacy-protected Russian domains for abuse potential.
Field Name Index
This compact alphabetical table consolidates all fields for quick lookup, showing descriptions, types, and sources.
Field Name | Description | Type | Data Source |
|---|---|---|---|
| Has /ads.txt | Boolean | webscan |
| sha256 of /ads.txt | String | webscan |
| Has /app-ads.txt | Boolean | webscan |
| sha256 of /app-ads.txt | String | webscan |
| Has /sellers.json | Boolean | webscan |
| sha256 of /sellers.json | String | webscan |
| Service banner on a specific port | String | services |
| See Body Data | Various | webscan, torscan |
| A unique hash of the overall scan result | String | webscan, torscan, services, webscanhistory |
| Is a directory | Boolean | opendirectory |
| The final domain... | String | webscan, torscan, webscanhistory, webscanfailure |
| See Favicon Data | Various | webscan, torscan |
| Does URL scanned point to a file | Boolean | webscan, torscan |
| Hash of file pointed to | String | webscan, torscan |
| Public key fingerprints | String | services |
| See GeoIP Data | Various | webscan, services, opendirectory |
| See HTML Data | Various | webscan, torscan |
| A hash value based on the header keys | String | webscan, torscan |
| Hostname... | String | webscan, torscan, webscanhistory |
| See HTML Data | Various | webscan, torscan |
| IP hosting... | String | webscan, services, opendirectory, webscanhistory, webscanfailure |
| JARM Hash... | String | webscan |
| Last modified date... | Datestring | opendirectory |
| Filename... | String | opendirectory |
| Is this an open directory | Boolean | webscan, torscan |
| See Origin and Redirect Data | Various | webscan, torscan, webscanhistory |
| Path... | String | webscan, torscan |
| Port... | Number | webscan, torscan, services, opendirectory, webscanfailure |
| The reason a scanning failure occurred | String | webscanfailure |
| See Origin and Redirect Data | Various | webscan, torscan |
| Scan Request Response Code | Number | webscan, torscan |
| The date that data was scanned | Datestring | All sources |
| Scheme... | String | webscan, torscan, opendirectory, webscanhistory, webscanfailure |
| The filesize in bytes | Integer | opendirectory |
| See SSL Data | Various | webscan, torscan, services |
| The subdomain value... | String | webscan, torscan |
| The top level domain... | String | webscan, torscan |
| The final URL... | String | webscan, torscan, webscanfailure |