Supported field names

This article provides a comprehensive reference for field names and data sources used in Web Search queries. Field names are searchable data categories in Silent Push Query Language (SPQL), enabling precise searches across Web Search’s data repositories. Understanding these fields and their associated data sources is essential for constructing effective queries and interpreting scan results.

Key data types, represented by these field names, also support advanced analysis for similarity detection, malicious activity identification (e.g., phishing sites, malware), dark web tracking, and URL navigation paths. For example, hash-based fields like SHA-256 or SSDeep allow matching identical or similar content, while SSL and JARM fields fingerprint certificates and TLS configurations.

Overview of data sources

Web Search organizes scanned data into six data sources, each representing a specific type of web data. The table below summarizes each data source and its primary use case:

Data source	Description
webscan	Web data from public IPv4 and IPv6 ranges, including HTML, favicons, and SSL data.
torscan	Data from .onion sites on the Tor network, similar to `webscan` but Tor-specific.
services	Non-HTTP services (e.g., SSH, DNS), including TLS/SSL certificate data.
opendirectory	Data from open directories, including file and directory metadata.
webscanhistory	Log of successful scanning attempts, tracking domains and IPs scanned.
webscanfailure	Log of failed scanning attempts, including reasons for failure.

Important: The Datestring data type is formatted as YYYY-MM-DD.

Use Field names in queries

Field names are used in SPQL queries to target specific data within a data source. For example:

Query: domain = crypto* AND datasource = torscan
- Searches the torscan data source for .onion domains starting with “crypto”.
Query: ssl.expired = true AND datasource = services
- Returns all expired SSL certificates in the services data source.

To search across multiple data sources, use square brackets with a comma-separated list:

Query: domain = payments* AND datasource = [webscan, torscan]
- Searches for domains starting with “payments” in both webscan and torscan.

Field Groups

To support targeted analysis (e.g., similarity detection, phishing identification, or dark web tracking), fields are grouped thematically below. Each group includes relevant fields from multiple data sources, along with descriptions, types, notes, and example queries.

For guidance on constructing queries, see Manage and run queries in Web Search.

Body data

Body data fields enable the analysis of a webpage’s HTML content, JavaScript, language, and dark web references, facilitating the identification of identical or similar websites.

Field Name	Description	Type
`body_analysis.body_sha256`	SHA-256 hash of the `<body>` content. Matches indicate identical content (rare, e.g., error pages).	String	webscan, torscan
`body_analysis.header_sha256`	SHA-256 hash of the `<header>` content	String	webscan, torscan
`body_analysis.footer_sha256`	SHA-256 hash of the `<footer>` content	String	webscan, torscan
`body_analysis.js_sha256`	List of referenced JavaScript files with SHA-256 hashes (includes URLs and query parameters, e.g., `?v=1.2`	String	webscan, torscan
`body_analysis.js_ssdeep`	List of JavaScript files with SSDeep fuzzy hashes for similarity detection	String	webscan, torscan
`body_analysis.language`	Comma-separated list of HTML languages (most to least used). Mismatches with `tld` may indicate targeting issues.	String	webscan, torscan
`body_analysis.onion`	List of Tor .onion addresses in the HTML body, useful for dark web investigations	String	webscan, torscan
`body_analysis.SHV`	Script Hash Value (SHV), a fingerprint of script names (excluding parameters, e.g., `jQuery-2.1.4.min.js`). Identifies similar script groups	String	webscan, torscan
`body_analysis.adsense`	Adsense-related tags in body	String	webscan, torscan
`body_analysis.adserver`	Ad server references	String	webscan, torscan
`body_analysis.analytics`	Analytics tool tags	String	webscan, torscan
`body_analysis.google-adstag`	Google Ads tag	String	webscan, torscan
`body_analysis.google-GA4`	GA4 tag	String	webscan, torscan
`body_analysis.google-UA`	UA tag	String	webscan, torscan
`body_analysis.ICP_license`	Chinese ICP License (for compliance checks)	String	webscan

Example

Query: body_analysis.onion = *market* AND datasource = torscan
- Finds .onion sites referencing “market” in their HTML body.
Query: body_analysis.SHV = jquery* AND htmltitle = *login*
- Identifies potential phishing sites using specific JavaScript files and login-related titles.
Query: body_analysis.ICP_license = * AND geoip.country_code2 = CN (see GeoIP below)
- Flags Chinese-hosted sites with ICP licenses for regulatory analysis.

Favicon data

Favicon fields target website icons for visual similarity detection via hashes or paths. Supports phishing hunts by matching cloned logos.

Field Name	Description	Type	Primary Sources
`favicon_md5`	MD5 hash of .ico favicon (typically at `/favicon.ico`)	String	webscan, torscan
`favicon_murmur3`	Murmur3 hash of .ico favicon	String	webscan, torscan
`favicon_path`	Path to .ico favicon	String	webscan, torscan
`favicon2_md5`	MD5 hash of non-.ico favicon	String	webscan, torscan
`favicon2_murmur3`	Murmur3 hash of non-.ico favicon	String	webscan, torscan
`favicon2_path`	Path to non-.ico favicon	String	webscan, torscan
`favicon_urls`	List of favicon URLs, including unreferenced root-favicon `/favicon.ico`	String	webscan, torscan
`favicon_avg`	Visual similarity image hash of the website's favicon file	String	webscan, torscan
`favicon2_avg`	Visual similarity image hash of the website's favicon2 file	String	webscan, torscan

Notes:
favicon fields refer to .ico files; favicon2 fields cover non-.ico formats (e.g., PNG). Websites may have both.
Browsers and Web Scanner automatically check for /favicon.ico, even if it is not referenced in the code.

Example

Query: favicon_murmur3 = 1234567890 AND datasource = webscan
- Finds websites with a specific .ico favicon hash, indicating visual similarity.

HTML data

HTML data fields analyze webpage titles, similarity scores, and response headers for correlation and filtering.

Field Name	Description	Type	Primary Source
`html_body_similarity`	Numerical value (0–100) showing similarity to the previous scan, based on `html_body_ssdeep`. A value of 91 indicates a 9% difference. May not reflect visual similarity.	Number	webscan
`htmltitle`	HTML title, useful for initial investigations (e.g., detecting phishing or C2 frameworks).	String	webscan, torscan
`hhv`	Header Hash Value, a fingerprint of response header keys (not values, e.g., `Content-Type`, `Server`). Used as a prefilter for URL scans.	String	webscan, torscan
`html_body_murmur3`	A Murmur3 hash of the HTML body	Number	webscan, torscan
`html_body_length`	Number of bytes in the HTML body	Integer	webscan
`html_body_sha256`	A SHA256 hash of the HTML body	String	webscan, torscan
`html_body_ssdeep`	SSDeep hash of the HTML body	String	webscan, torscan
`header.cache-control`	Instructions that control caching in browsers and shared caches (e.g., Proxies, CDNs)	String	webscan, torscan
`header.connection`	Whether the network connection stays open after the current transaction finishes	String	webscan, torscan
`header.content-length`	Size of the message body, in bytes, sent to the recipient.	Number	webscan, torscan
`header.content-type`	Original media type of the resource (prior to any content encoding applied for sending).	String	webscan, torscan
`header.etag`	The ETag (or entity tag) HTTP response header	String	webscan, torscan
`header.refresh`	Refresh directive	String	webscan, torscan
`header.server`	Software used to serve the HTTP response. If a redirect is present, this field shows data from the server that performed the last redirect	String	webscan, torscan
`header.x-powered-by`	Value returned from server stating what it's powered by	String	webscan, torscan
`file`	Does URL scanned point to a file (non-HTML check)	Boolean	webscan, torscan
`file_sha256`	Hash of file pointed to (for malware/file analysis)	String	webscan, torscan
`opendirectory`	Is this an open directory	Boolean	webscan, torscan

Example

Query: htmltitle = "Mythic" AND body_analysis.js_sha256 = *mythic*
- Correlates websites using the Mythic C2 Framework via title and JavaScript hashes.
Query: hhv = *proxygen* AND datasource = webscan
- Prefilters scan websites for specific server software (e.g., proxy gen-bolt).
Query: file = true AND file_sha256 = *malware*
- Detects scanned files with suspicious hashes.

SSL data

SSL data fields target certificate characteristics to identify unique or malicious servers. Covers authority keys and serials for chain-of-trust analysis.

Field Name	Description	Type	Primary Source
`ssl.chv`	Certificate Hash Value, fingerprint of issuer, subject, and extension keys, formatted as `<hash>:w`	X:<SANs_count>(e.g.,487049c6c39ee487049c6c39ee7646766df07c6:w:0005`). Identifies unique certificates, especially self-signed ones. Includes: First part (hashes of issuer/subject/extension keys); second part (w for wildcard, x for non-wildcard); third part (SAN count).	String
`ssl.sans`	List of domains in the Subject Alternative Names (SANs) field	List of domains.	webscan, torscan, services
`ssl.authority_key_id`	The authority key identifier (AKI) is an X.509 v3 certificate extension. It contains a key identifier which is derived from the public key in the issuer certificate.	String	webscan, torscan, services
`ssl.expired`	Has SSL certificate expired	Boolean	webscan, torscan, services
`ssl.issuer.common_name`	SSL Certificate Issuer Common Name	String	webscan, torscan, services
`ssl.issuer.country`	SSL Certificate Issuer Country	String	webscan, torscan, services
`ssl.issuer.organization`	SSL Certificate Issuer Organization	List of strings	webscan, torscan, services
`ssl.not_after SSL`	Certificate Validity End Date	Datetime	webscan, torscan, services
`ssl.not_before SSL`	Certificate Validity Start Date	Datetime	webscan, torscan, services
`ssl.sans_count SSL`	Certificate Sans List Count	Number	webscan, torscan, services
`ssl.serial_number SSL`	Certificate Serial Number	String	webscan, torscan, services
`ssl.SHA1 SSL`	Certificate SHA1 Hash	String	webscan, torscan, services
`ssl.SHA256 SSL`	Certificate SHA256 Hash	String	webscan, torscan, services
`ssl.sigalg SSL`	Certificate Signature Algorithm	String	webscan, torscan, services
`ssl.subject.common_name SSL`	Certificate Subject Common Name	String	webscan, torscan, services
`ssl.subject.country SSL`	Certificate Subject Country	String	webscan, torscan, services
`ssl.subject.names SSL`	Certificate Subject Names	List of domains	webscan, torscan, services
`ssl.subject.organization SSL`	Certificate Subject Organization	String	webscan, torscan, services
`ssl.wildcard`	Is this a wildcard SAN certificate, I.e., Sans List references wildcards	Boolean	webscan, torscan, services

Notes:
ssl.chv includes:
First part: Hashes of issuer, subject, and extension keys (often identical for issuer and subject).
Second part: w (wildcard certificate) or x (non-wildcard).
Third part: Number of SANs (e.g., 0005 for five domains).

Example:

Query: ssl.chv = *w:0001 AND datasource = services
- Finds wildcard SSL certificates with a single SAN in non-HTTP services.

JARM data

JARM fields use TLS handshakes to identify servers or malware.

Field Name	Description	Type	Primary Source
`jarm`	JARM fingerprint, a hash of TLS handshake characteristics (ciphersuites, extensions). Value-based, useful as a prefilter or for identifying unique TLS responses (e.g., malware).	String	webscan

Query: jarm = *abc123* AND datasource = webscan
- Targets websites with a specific TLS fingerprint, potentially linked to malware.

Origin and redirect data

These fields track initial scanned URLs and redirect chains for navigation analysis. Includes core identifiers like domain and IP for broad targeting.

Field Type	Description	Type	Primary Source
`origin_domain`	Domain originally scanned	String	webscan
`origin_hostname`	Hostname of the originally scanned domain	String	webscan, torscan
`origin_ip`	IP of the originally scanned URL	String	webscan, torscan
`origin_path`	Path of the originally scanned URL	String	webscan, torscan
`origin_port`	Port of the originally scanned URL	String	webscan, torscan
`origin_scheme`	Scheme of the originally scanned URL (e.g., `http`)	String	webscan, torscan
`origin_url`	URL originally scanned (e.g., `http://3.1.104.127`)	URL	webscan, torscan
`redirect`	Boolean indicating if a redirect occurred	Boolean	webscan, torscan
`redirect_to_https`	Boolean indicating if a redirect led to HTTPS	Boolean	webscan, torscan
`redirect_list`	List of URLs in the redirect chain (e.g., `https://20.160.240.124/sslvpn/Login/login`	String	webscan, torscan
`redirect_count`	Number of URLs involved in a redirect	Integer	webscan, torscan
`path`	Path of URL that originally scanned URL redirects to	String	webscan, torscan
`url`	The final URL that the origin URL that was scanned redirects to	String	webscan, torscan, webscanfailure
`domain`	The final domain that the origin domain that was scanned redirects to	String	webscan, torscan, webscanhistory, webscanfailure
`hostname`	Hostname of domain that original domain that was scanned redirects to	String	webscan, torscan, webscanhistory
`port`	Port of URL that originally scanned URL redirects to	Number	webscan, torscan, services, opendirectory, webscanfailure
`scheme`	Scheme of URL that originally scanned URL redirects to	String	webscan, torscan, opendirectory, webscanhistory, webscanfailure
`subdomain`	The subdomain value, if it exists, of the final domain that scanned original domain redirects to	String	webscan, torscan
`tld`	The top level domain of the final domain that scanned original domain redirects to	String	webscan, torscan
`ip`	IP hosting URL that origin URL that was scanned redirects to	String	webscan, services, opendirectory, webscanhistory, webscanfailure

Notes:
Queries for domain, hostname, path, or url automatically search corresponding origin_xxx fields for exact, wildcard, or regex matches (e.g., domain = silentpush.com searches domain and origin_domain).
Negative matches (e.g., domain != silentpush.com) only search the specified field.

Example:

Query: origin_url = http://20.160.240.124 AND redirect_to_https = true
- Finds scans starting at a specific URL that redirects to HTTPS.

GeoIP Data

GeoIP fields provide location context for risk scoring (e.g., high-risk regions). Integrated here for correlation with other analyses; full suite available in index.

Field Name	Description	Type	Primary Source
`geoip.asn`	Autonomous System Name (ASN)	Integer	webscan, services, opendirectory
`geoip.as_org`	AS Organization	String	webscan, services, opendirectory
`geoip.city_name`	City of IP geolocation	String	webscan
`geoip.continent_code`	Continent of IP geolocation	String	webscan
`geoip.country_code2`	Country code of IP geolocation (2-letter)	String	webscan
`geoip.country_code3`	Country code of IP geolocation (3-letter)	String	webscan
`geoip.country_name`	Country name of IP geolocation	String	webscan
`geoip.dma_code`	Designated marketing area	String	webscan
`geoip.latitude`	Latitude value of IP geolocation	Float	webscan
`geoip.location.lat`	Latitude value of IP geolocation	Float	webscan
`geoip.location.lon`	Longitude value of IP geolocation	Float	webscan
`geoip.longitude`	Longitude value of IP geolocation	Float	webscan
`geoip.postal_code`	Postal code of IP geolocation	String	webscan
`geoip.region_code`	Region code of IP geolocation	String	webscan
`geoip.region_name`	Region name of IP geolocation	String	webscan
`geoip.timezone`	Timezone of IP geolocation	String	webscan

Example:

Query: ssl.expired = true AND geoip.country_name = "Russia"
- Identifies expired certs from high-risk geos.

AdTech Data

AdTech fields detect ad transparency files for compliance or evasion checks (webscan only).

Field Name	Description	Type
`adtech.ads_txt`	Has /ads.txt	Boolean
`adtech.ads_txt_sha256`	sha256 of /ads.txt	String
`adtech.app_ads_txt`	Has /app-ads.txt	Boolean
`adtech.app-ads_txt_sha256`	sha256 of /app-ads.txt	String
`adtech.sellers_json`	Has /sellers.json	Boolean
adtech.sellers_json_sha256	sha256 of /sellers.json	String

Example:

Query: adtech.ads_txt = false AND domain = *ads*
- Flags ad domains lacking transparency files.

Services and Open Directory Data

For non-HTTP services and directories: Focus on banners, fingerprints, and metadata for port scanning or file exposure analysis.

Services Fields: banner (service banner, String, services); fingerprints.ECDSA/ED25519/RSA (public key fingerprints, String, services).

Example: fingerprints.RSA = *selfsigned* AND port = 443 – Detects self-signed keys on common ports.

Open Directory Fields: dir (is directory, Boolean, opendirectory); last_modified (file mod date, Datestring, opendirectory); name (file/dir name, String, opendirectory); size (filesize in bytes, Integer, opendirectory).

Example: dir = true AND size > 1000000 – Finds large exposed directories.

Scan History and Failure Data

For troubleshooting scans: Logs success/failure with reasons.

History Fields: datahash (scan hash, String, webscanhistory); full overlap with origin/redirect for tracked scans.

Example: scan_date > 2025-01-01 AND datasource = webscanhistory – Reviews recent successful scans.

Failure Fields: reason (failure reason, String, webscanfailure).

Example: reason = "timeout" AND ip = * – Analyzes timeout-prone IPs.

Field Name Index

This compact alphabetical table consolidates all fields for quick lookup, showing descriptions, types, and sources.

Field Name	Description	Type	Data Source
`adtech.ads_txt`	Has /ads.txt	Boolean	webscan
`adtech.ads_txt_sha256`	sha256 of /ads.txt	String	webscan
`adtech.app_ads_txt`	Has /app-ads.txt	Boolean	webscan
`adtech.app-ads_txt_sha256`	sha256 of /app-ads.txt	String	webscan
`adtech.sellers_json`	Has /sellers.json	Boolean	webscan
`adtech.sellers_json_sha256`	sha256 of /sellers.json	String	webscan
`banner`	Service banner on a specific port	String	services
`body_analysis.* (all subfields)`	See Body Data	Various	webscan, torscan
`datahash`	A unique hash of the overall scan result	String	webscan, torscan, services, webscanhistory
`dir`	Is a directory	Boolean	opendirectory
`domain`	The final domain...	String	webscan, torscan, webscanhistory, webscanfailure
`favicon_*(all)`	See Favicon Data	Various	webscan, torscan
`file`	Does URL scanned point to a file	Boolean	webscan, torscan
`file_sha256`	Hash of file pointed to	String	webscan, torscan
`fingerprints.*`	Public key fingerprints	String	services
`geoip.*(all)`	See GeoIP Data	Various	webscan, services, opendirectory
`header.* (all)`	See HTML Data	Various	webscan, torscan
`hhv`	A hash value based on the header keys	String	webscan, torscan
`hostname`	Hostname...	String	webscan, torscan, webscanhistory
`html_* (all)`	See HTML Data	Various	webscan, torscan
`ip`	IP hosting...	String	webscan, services, opendirectory, webscanhistory, webscanfailure
`jarm`	JARM Hash...	String	webscan
`last_modified`	Last modified date...	Datestring	opendirectory
`name`	Filename...	String	opendirectory
`opendirectory`	Is this an open directory	Boolean	webscan, torscan
`origin_*(all)`	See Origin and Redirect Data	Various	webscan, torscan, webscanhistory
`path`	Path...	String	webscan, torscan
`port`	Port...	Number	webscan, torscan, services, opendirectory, webscanfailure
`reason`	The reason a scanning failure occurred	String	webscanfailure
`redirect_* (all)`	See Origin and Redirect Data	Various	webscan, torscan
`response`	Scan Request Response Code	Number	webscan, torscan
`scan_date`	The date that data was scanned	Datestring	All sources
`scheme`	Scheme...	String	webscan, torscan, opendirectory, webscanhistory, webscanfailure
`size`	The filesize in bytes	Integer	opendirectory
`ssl.* (all)`	See SSL Data	Various	webscan, torscan, services
`subdomain`	The subdomain value...	String	webscan, torscan
`tld`	The top level domain...	String	webscan, torscan
`url`	The final URL...	String	webscan, torscan, webscanfailure