Field names

Prev Next

This article provides a comprehensive reference for field names and data sources used in Web Search queries. Field names are searchable data categories in Silent Push Query Language (SPQL), enabling precise searches across Web Search’s data repositories. Understanding these fields and their associated data sources is essential for constructing effective queries and interpreting scan results.

Key data types, represented by these field names, also support advanced analysis for similarity detection, malicious activity identification (e.g., phishing sites, malware), dark web tracking, and URL navigation paths. For example, hash-based fields like SHA-256 or SSDeep allow matching identical or similar content, while SSL and JARM fields fingerprint certificates and TLS configurations.

Overview of data sources

Web Search organizes scanned data into six data sources, each representing a specific type of web data. The table below summarizes each data source and its primary use case:

Data source

Description

webscan

Web data from public IPv4 and IPv6 ranges, including HTML, favicons, and SSL data.

torscan

Data from .onion sites on the Tor network, similar to webscan but Tor-specific.

services

Non-HTTP services (e.g., SSH, DNS), including TLS/SSL certificate data.

opendirectory

Data from open directories, including file and directory metadata.

webscanhistory

Log of successful scanning attempts, tracking domains and IPs scanned.

webscanfailure

Log of failed scanning attempts, including reasons for failure.

Important: The Datestring data type is formatted as YYYY-MM-DD.

Use Field names in queries

Field names are used in SPQL queries to target specific data within a data source. For example:

  • Query: domain = crypto* AND datasource = torscan

    • Searches the torscan data source for .onion domains starting with “crypto”.

  • Query: ssl.expired = true AND datasource = services

    • Returns all expired SSL certificates in the services data source.

To search across multiple data sources, use square brackets with a comma-separated list:

  • Query: domain = payments* AND datasource = [webscan, torscan]

    • Searches for domains starting with “payments” in both webscan and torscan.

Field Groups

To support targeted analysis (e.g., similarity detection, phishing identification, or dark web tracking), fields are grouped thematically below. Each group includes relevant fields from multiple data sources, along with descriptions, types, notes, and example queries.

For guidance on constructing queries, see Manage and run queries in Web Search.

Body data

Body data fields enable the analysis of a webpage’s HTML content, JavaScript, language, and dark web references, facilitating the identification of identical or similar websites.

Field Name

Description

Type

body_analysis.body_sha256

SHA-256 hash of the <body> content. Matches indicate identical content (rare, e.g., error pages).

String

webscan, torscan

body_analysis.header_sha256

SHA-256 hash of the <header> content

String

webscan, torscan

body_analysis.footer_sha256

SHA-256 hash of the <footer> content

String

webscan, torscan

body_analysis.js_sha256

List of referenced JavaScript files with SHA-256 hashes (includes URLs and query parameters, e.g., ?v=1.2

String

webscan, torscan

body_analysis.js_ssdeep

List of JavaScript files with SSDeep fuzzy hashes for similarity detection

String

webscan, torscan

body_analysis.language

Comma-separated list of HTML languages (most to least used). Mismatches with tld may indicate targeting issues.

String

webscan, torscan

body_analysis.onion

List of Tor .onion addresses in the HTML body, useful for dark web investigations

String

webscan, torscan

body_analysis.SHV

Script Hash Value (SHV), a fingerprint of script names (excluding parameters, e.g., jQuery-2.1.4.min.js). Identifies similar script groups

String

webscan, torscan

body_analysis.adsense

Adsense-related tags in body

String

webscan, torscan

body_analysis.adserver

Ad server references

String

webscan, torscan

body_analysis.analytics

Analytics tool tags

String

webscan, torscan

body_analysis.google-adstag

Google Ads tag

String

webscan, torscan

body_analysis.google-GA4

GA4 tag

String

webscan, torscan

body_analysis.google-UA

UA tag

String

webscan, torscan

body_analysis.ICP_license

Chinese ICP License (for compliance checks)

String

webscan

Example

  • Query: body_analysis.onion = *market* AND datasource = torscan

    • Finds .onion sites referencing “market” in their HTML body.

  • Query: body_analysis.SHV = jquery* AND htmltitle = *login*

    • Identifies potential phishing sites using specific JavaScript files and login-related titles.

  • Query: body_analysis.ICP_license = * AND geoip.country_code2 = CN (see GeoIP below)

    • Flags Chinese-hosted sites with ICP licenses for regulatory analysis.

Favicon data

Favicon fields target website icons for visual similarity detection via hashes or paths. Supports phishing hunts by matching cloned logos.

Field Name

Description

Type

Primary Sources

favicon_md5

MD5 hash of .ico favicon (typically at /favicon.ico)

String

webscan, torscan

favicon_murmur3

Murmur3 hash of .ico favicon

String

webscan, torscan

favicon_path

Path to .ico favicon

String

webscan, torscan

favicon2_md5

MD5 hash of non-.ico favicon

String

webscan, torscan

favicon2_murmur3

Murmur3 hash of non-.ico favicon

String

webscan, torscan

favicon2_path

Path to non-.ico favicon

String

webscan, torscan

favicon_urls

List of favicon URLs, including unreferenced root-favicon /favicon.ico

String

webscan, torscan

favicon_avg

Visual similarity image hash of the website's favicon file

String

webscan, torscan

favicon2_avg

Visual similarity image hash of the website's favicon2 file

String

webscan, torscan

Notes:

  • favicon fields refer to .ico files; favicon2 fields cover non-.ico formats (e.g., PNG). Websites may have both.

  • Browsers and Web Scanner automatically check for /favicon.ico, even if it is not referenced in the code.  

Example

  • Query: favicon_murmur3 = 1234567890 AND datasource = webscan

    • Finds websites with a specific .ico favicon hash, indicating visual similarity.

HTML data

HTML data fields analyze webpage titles, similarity scores, and response headers for correlation and filtering.

Field Name

Description

Type

Primary Source

html_body_similarity

Numerical value (0–100) showing similarity to the previous scan, based on html_body_ssdeep. A value of 91 indicates a 9% difference. May not reflect visual similarity.

Number

webscan

htmltitle

HTML title, useful for initial investigations (e.g., detecting phishing or C2 frameworks).

String

webscan, torscan

hhv

Header Hash Value, a fingerprint of response header keys (not values, e.g., Content-Type, Server). Used as a prefilter for URL scans.

String

webscan, torscan

html_body_murmur3

A Murmur3 hash of the HTML body

Number

webscan, torscan

html_body_length

Number of bytes in the HTML body

Integer

webscan

html_body_sha256

A SHA256 hash of the HTML body

String

webscan, torscan

html_body_ssdeep

SSDeep hash of the HTML body

String

webscan, torscan

header.cache-control

Instructions that control caching in browsers and shared caches (e.g., Proxies, CDNs)

String

webscan, torscan

header.connection

Whether the network connection stays open after the current transaction finishes

String

webscan, torscan

header.content-length

Size of the message body, in bytes, sent to the recipient.

Number

webscan, torscan

header.content-type

Original media type of the resource (prior to any content encoding applied for sending).

String

webscan, torscan

header.etag

The ETag (or entity tag) HTTP response header

String

webscan, torscan

header.refresh

Refresh directive

String

webscan, torscan

header.server

Software used to serve the HTTP response. If a redirect is present, this field shows data from the server that performed the last redirect

String

webscan, torscan

header.x-powered-by

Value returned from server stating what it's powered by

String

webscan, torscan

file

Does URL scanned point to a file (non-HTML check)

Boolean

webscan, torscan

file_sha256

Hash of file pointed to (for malware/file analysis)

String

webscan, torscan

opendirectory

Is this an open directory

Boolean

webscan, torscan

Example

  • Query: htmltitle = "Mythic" AND body_analysis.js_sha256 = *mythic*

    • Correlates websites using the Mythic C2 Framework via title and JavaScript hashes.

  • Query: hhv = *proxygen* AND datasource = webscan

    • Prefilters scan websites for specific server software (e.g., proxy gen-bolt).

  • Query: file = true AND file_sha256 = *malware*

    • Detects scanned files with suspicious hashes.

SSL data

SSL data fields target certificate characteristics to identify unique or malicious servers. Covers authority keys and serials for chain-of-trust analysis.

Field Name

Description

Type

Primary Source

ssl.chv

Certificate Hash Value, fingerprint of issuer, subject, and extension keys, formatted as <hash>:w

X:<SANs_count>(e.g.,487049c6c39ee487049c6c39ee7646766df07c6:w:0005`). Identifies unique certificates, especially self-signed ones.

Includes: First part (hashes of issuer/subject/extension keys); second part (w for wildcard, x for non-wildcard); third part (SAN count).

String

ssl.sans

List of domains in the Subject Alternative Names (SANs) field

List of domains.

webscan, torscan, services

ssl.authority_key_id

The authority key identifier (AKI) is an X.509 v3 certificate extension. It contains a key identifier which is derived from the public key in the issuer certificate.

String

webscan, torscan, services

ssl.expired

Has SSL certificate expired

Boolean

webscan, torscan, services

ssl.issuer.common_name

SSL Certificate Issuer Common Name

String

webscan, torscan, services

ssl.issuer.country

SSL Certificate Issuer Country

String

webscan, torscan, services

ssl.issuer.organization

SSL Certificate Issuer Organization

List of strings

webscan, torscan, services

ssl.not_after SSL

Certificate Validity End Date

Datetime

webscan, torscan, services

ssl.not_before SSL

Certificate Validity Start Date

Datetime

webscan, torscan, services

ssl.sans_count SSL

Certificate Sans List Count

Number

webscan, torscan, services

ssl.serial_number SSL

Certificate Serial Number

String

webscan, torscan, services

ssl.SHA1 SSL

Certificate SHA1 Hash

String

webscan, torscan, services

ssl.SHA256 SSL

Certificate SHA256 Hash

String

webscan, torscan, services

ssl.sigalg SSL

Certificate Signature Algorithm

String

webscan, torscan, services

ssl.subject.common_name SSL

Certificate Subject Common Name

String

webscan, torscan, services

ssl.subject.country SSL

Certificate Subject Country

String

webscan, torscan, services

ssl.subject.names SSL

Certificate Subject Names

List of domains

webscan, torscan, services

ssl.subject.organization SSL

Certificate Subject Organization

String

webscan, torscan, services

ssl.wildcard

Is this a wildcard SAN certificate, I.e., Sans List references wildcards

Boolean

webscan, torscan, services

Notes:

  • ssl.chv includes:

    • First part: Hashes of issuer, subject, and extension keys (often identical for issuer and subject).

    • Second part: w (wildcard certificate) or x (non-wildcard).

    • Third part: Number of SANs (e.g., 0005 for five domains).

Example:

  • Query: ssl.chv = *w:0001 AND datasource = services

    • Finds wildcard SSL certificates with a single SAN in non-HTTP services.

JARM data

JARM fields use TLS handshakes to identify servers or malware.

Field Name

Description

Type

Primary Source

jarm

JARM fingerprint, a hash of TLS handshake characteristics (ciphersuites, extensions). Value-based, useful as a prefilter or for identifying unique TLS responses (e.g., malware).

String

webscan

  • Query: jarm = *abc123* AND datasource = webscan

    • Targets websites with a specific TLS fingerprint, potentially linked to malware.

Origin and redirect data

These fields track initial scanned URLs and redirect chains for navigation analysis. Includes core identifiers like domain and IP for broad targeting.

Field Type

Description

Type

Primary Source

origin_domain

Domain originally scanned

String

webscan

origin_hostname

Hostname of the originally scanned domain

String

webscan, torscan

origin_ip

IP of the originally scanned URL

String

webscan, torscan

origin_path

Path of the originally scanned URL

String

webscan, torscan

origin_port

Port of the originally scanned URL

String

webscan, torscan

origin_scheme

Scheme of the originally scanned URL (e.g., http)

String

webscan, torscan

origin_url

URL originally scanned (e.g., http://3.1.104.127)

URL

webscan, torscan

redirect

Boolean indicating if a redirect occurred

Boolean

webscan, torscan

redirect_to_https

Boolean indicating if a redirect led to HTTPS

Boolean

webscan, torscan

redirect_list

List of URLs in the redirect chain (e.g., https://20.160.240.124/sslvpn/Login/login

String

webscan, torscan

redirect_count

Number of URLs involved in a redirect

Integer

webscan, torscan

path

Path of URL that originally scanned URL redirects to

String

webscan, torscan

url

The final URL that the origin URL that was scanned redirects to

String

webscan, torscan, webscanfailure

domain

The final domain that the origin domain that was scanned redirects to

String

webscan, torscan, webscanhistory, webscanfailure

hostname

Hostname of domain that original domain that was scanned redirects to

String

webscan, torscan, webscanhistory

port

Port of URL that originally scanned URL redirects to

Number

webscan, torscan, services, opendirectory, webscanfailure

scheme

Scheme of URL that originally scanned URL redirects to

String

webscan, torscan, opendirectory, webscanhistory, webscanfailure

subdomain

The subdomain value, if it exists, of the final domain that scanned original domain redirects to

String

webscan, torscan

tld

The top level domain of the final domain that scanned original domain redirects to

String

webscan, torscan

ip

IP hosting URL that origin URL that was scanned redirects to

String

webscan, services, opendirectory, webscanhistory, webscanfailure

Notes:

  • Queries for domain, hostname, path, or url automatically search corresponding origin_xxx fields for exact, wildcard, or regex matches (e.g., domain = silentpush.com searches domain and origin_domain).

  • Negative matches (e.g., domain != silentpush.com) only search the specified field.

Example:

  • Query: origin_url = http://20.160.240.124 AND redirect_to_https = true

    • Finds scans starting at a specific URL that redirects to HTTPS.

GeoIP Data

GeoIP fields provide location context for risk scoring (e.g., high-risk regions). Integrated here for correlation with other analyses; full suite available in index.

Field Name

Description

Type

Primary Source

geoip.asn

Autonomous System Name (ASN)

Integer

webscan, services, opendirectory

geoip.as_org

AS Organization

String

webscan, services, opendirectory

geoip.city_name

City of IP geolocation

String

webscan

geoip.continent_code

Continent of IP geolocation

String

webscan

geoip.country_code2

Country code of IP geolocation (2-letter)

String

webscan

geoip.country_code3

Country code of IP geolocation (3-letter)

String

webscan

geoip.country_name

Country name of IP geolocation

String

webscan

geoip.dma_code

Designated marketing area

String

webscan

geoip.latitude

Latitude value of IP geolocation

Float

webscan

geoip.location.lat

Latitude value of IP geolocation

Float

webscan

geoip.location.lon

Longitude value of IP geolocation

Float

webscan

geoip.longitude

Longitude value of IP geolocation

Float

webscan

geoip.postal_code

Postal code of IP geolocation

String

webscan

geoip.region_code

Region code of IP geolocation

String

webscan

geoip.region_name

Region name of IP geolocation

String

webscan

geoip.timezone

Timezone of IP geolocation

String

webscan

Example:

  • Query: ssl.expired = true AND geoip.country_name = "Russia"

    • Identifies expired certs from high-risk geos.

AdTech Data

AdTech fields detect ad transparency files for compliance or evasion checks (webscan only).

Field Name

Description

Type

adtech.ads_txt

Has /ads.txt

Boolean

adtech.ads_txt_sha256

sha256 of /ads.txt

String

adtech.app_ads_txt

Has /app-ads.txt

Boolean

adtech.app-ads_txt_sha256

sha256 of /app-ads.txt

String

adtech.sellers_json

Has /sellers.json

Boolean

adtech.sellers_json_sha256

sha256 of /sellers.json

String

Example:

  • Query: adtech.ads_txt = false AND domain = *ads*

    • Flags ad domains lacking transparency files.

Services and Open Directory Data

For non-HTTP services and directories: Focus on banners, fingerprints, and metadata for port scanning or file exposure analysis.

Services Fields: banner (service banner, String, services); fingerprints.ECDSA/ED25519/RSA (public key fingerprints, String, services).

  • Example: fingerprints.RSA = *selfsigned* AND port = 443 – Detects self-signed keys on common ports.

Open Directory Fields: dir (is directory, Boolean, opendirectory); last_modified (file mod date, Datestring, opendirectory); name (file/dir name, String, opendirectory); size (filesize in bytes, Integer, opendirectory).

  • Example: dir = true AND size > 1000000 – Finds large exposed directories.

Scan History and Failure Data

For troubleshooting scans: Logs success/failure with reasons.

History Fields: datahash (scan hash, String, webscanhistory); full overlap with origin/redirect for tracked scans.

  • Example: scan_date > 2025-01-01 AND datasource = webscanhistory – Reviews recent successful scans.

Failure Fields: reason (failure reason, String, webscanfailure).

  • Example: reason = "timeout" AND ip = * – Analyzes timeout-prone IPs.

Field Name Index

This compact alphabetical table consolidates all fields for quick lookup, showing descriptions, types, and sources.

Field Name

Description

Type

Data Source

adtech.ads_txt

Has /ads.txt

Boolean

webscan

adtech.ads_txt_sha256

sha256 of /ads.txt

String

webscan

adtech.app_ads_txt

Has /app-ads.txt

Boolean

webscan

adtech.app-ads_txt_sha256

sha256 of /app-ads.txt

String

webscan

adtech.sellers_json

Has /sellers.json

Boolean

webscan

adtech.sellers_json_sha256

sha256 of /sellers.json

String

webscan

banner

Service banner on a specific port

String

services

body_analysis.* (all subfields)

See Body Data

Various

webscan, torscan

datahash

A unique hash of the overall scan result      

String  

webscan, torscan, services, webscanhistory

dir

Is a directory

Boolean

opendirectory

domain

The final domain...

String

webscan, torscan, webscanhistory, webscanfailure

favicon_*(all)

See Favicon Data

Various

webscan, torscan

file

Does URL scanned point to a file

Boolean

webscan, torscan

file_sha256

Hash of file pointed to

String

webscan, torscan

fingerprints.*

Public key fingerprints

String

services

geoip.*(all)

See GeoIP Data

Various

webscan, services, opendirectory

header.* (all)

See HTML Data

Various

webscan, torscan

hhv

A hash value based on the header keys

String

webscan, torscan

hostname

Hostname...

String

webscan, torscan, webscanhistory

html_* (all)

See HTML Data

Various

webscan, torscan

ip

IP hosting...

String

webscan, services, opendirectory, webscanhistory, webscanfailure

jarm

JARM Hash...

String

webscan

last_modified

Last modified date...

Datestring

opendirectory

name

Filename...

String

opendirectory

opendirectory

Is this an open directory

Boolean

webscan, torscan

origin_*(all)

See Origin and Redirect Data

Various

webscan, torscan, webscanhistory

path

Path...

String

webscan, torscan

port

Port...

Number

webscan, torscan, services, opendirectory, webscanfailure

reason

The reason a scanning failure occurred

String

webscanfailure

redirect_* (all)

See Origin and Redirect Data

Various

webscan, torscan

response

Scan Request Response Code

Number

webscan, torscan

scan_date

The date that data was scanned  

Datestring

All sources

scheme

Scheme...

String

webscan, torscan, opendirectory, webscanhistory, webscanfailure

size

The filesize in bytes

Integer

opendirectory

ssl.* (all)

See SSL Data

Various

webscan, torscan, services

subdomain

The subdomain value...

String

webscan, torscan

tld

The top level domain...

String

webscan, torscan

url

The final URL...

String

webscan, torscan, webscanfailure