--- title: "Create a Context Graph Search Query" slug: "create-a-context-graph-search-query" tags: ["Data Filtering", "Query Execution", "Query Filters", "Saved Queries", "Web Search"] updated: 2026-06-09T03:01:08Z published: 2026-06-09T03:01:08Z canonical: "help.silentpush.com/create-a-context-graph-search-query" --- > ## Documentation Index > Fetch the complete documentation index at: https://help.silentpush.com/llms.txt > Use this file to discover all available pages before exploring further. # Create a Context Graph Search Query **Problem:** You’ve found a suspicious domain, IP, or pattern, but traditional tools only give you surface-level data. You need to dig deep, quickly, and effectively to uncover connected infrastructure, historical records, similar phishing sites, or entire clusters of malicious assets. **Silent Push Solution:** **Create a Query** is your primary entry point into Reconnaissance. Whether you need a fast one-off lookup or a sophisticated hunt, this powerful interface lets you search across massive datasets using Simple Search for quick wins or Advanced tools (SPQL + Constructor) for deep investigations. ## Access Create a Query From the navigation menu, click **Reconnaissance > Context Graph Search**. ![Context Graph Search interface showing data source selection and query generation options.](https://cdn.document360.io/8e5460b3-9d96-4b01-8bb3-6591a4af3a8c/Images/Documentation/Screenshot 2026-06-02 at 1.15.05 PM.png) ## Simple Search – Perfect for Quick Investigations Ideal when you just need fast answers. 1. Select one or more **Datasources** (Web Search is selected by default). 2. Choose a **Field Name** (e.g., `domain`, `ip`, `favicon_md5_hash`). 3. Select an **Operator** (`equals`, `contains`, etc.). 4. Enter your **Value**. 5. Click **Search**. **Example:** Find domains containing a threat actor’s name **Field:** `domain` **Operator:** `contains` **Value:** `threatactor` ## Advanced Search – For Powerful Investigations Switch to the **Advanced Search** tab (or use the Constructor / Command Line) when you need to combine multiple conditions. ### Using the Constructor (UI Builder) Visually build complex queries by adding expressions and linking them with AND/OR. ### Command Line (SPQL) Write queries directly for maximum flexibility. **Example:** Find domains starting with “payments” in both web and dark web data `domain = "payments*" AND datasource = [webscan, torscan]` ## Save and Manage Your Queries After running a successful query: 1. Click **Save**. 2. Give it a clear name and choose **Private** or **Shared**. 3. Add tags for easier filtering later. **To run saved queries later:** - Go to **Web Search** → **Saved** tab. - Use the search box or filters (by tag, type, creation date, etc.). - Click any query to re-run it instantly. ## Practical Use Case: Detecting Fake Banking Pages **Goal:** Find phishing sites impersonating a real bank (e.g., aib.ie). 1. Start with the legitimate domain to gather reference data (favicon, certificate, etc.). 2. Use the Constructor or the Command Line to build the query: - Match the bank’s **favicon_md5_hash** - Exclude the real certificate provider (`ssl.subject_common_name != "DigiCert"`) - Exclude the real domain (`domain != "aib.ie"`) 3. Run the query and review the results. 4. Enrich promising hits → pivot to their IPs → use **Lookup PADNS** to uncover entire clusters of phishing infrastructure. **Real customer outcome:** One financial institution discovered dozens of fake banking sites hosted in unexpected countries and blocked them before customer credentials were stolen. > [!NOTE] > Tips > > - Stack multiple data sources for broader coverage. > - Use `now-7d` for recent activity (e.g., `scan_date > now-7d`). > - Save every high-value query — they become powerful reusable tools. > - Combine with **Live Scan** for real-time validation of results. ##