Build queries in Web Search

Updated
  • Updated on Oct 31, 2025
  • Published on Oct 31, 2025
  • 3 minute(s) read
Prev Next

Stack Data Sources for Comprehensive Results

This guide walks you through creating, executing, editing, and saving queries in the Web Search tool within Silent Push. It focuses on stacking data sources, such as combining Web Scan and Dark Web Scan, to build powerful, multi-faceted queries that uncover hidden threats across the surface and deep web.

Web Search enables you to query our extensive database of over 100 Web Data elements, including unique content hashes for malware detection. Use Simple Search for an intuitive graphical interface (ideal for beginners) or Advanced Search for precise control with Silent Push Query Language (SPQL) syntax (for technical users).

Data sources such as Web Scan (surface web), Dark Web Scan (Tor/onion sites), Open Directory Scan, Banner Scan, and Whois Scan can be combined using AND logic to refine results. For example, stack Web Scan and Dark Web Scan to find domains mimicking your brand on both the clearnet and dark web.

Refer to SPQL Syntax Rules for operators and fields, and SPQL Query Examples for inspiration.

Access Web Search

  1. Log in to your Silent Push account.

  2. From the left navigation menu, select Web Data > Web Scanner.

  3. Choose the Simple Search or the Advanced Search tab.

Web Scanner interface displaying search results and data fields for analysis.

Simple Search

Build queries visually by selecting data sources and adding expressions (Field + Operator + Value) linked by AND logic. Stack sources by enabling multiple checkboxes.

Create a Query

  1. Click New.

  2. Select Data Sources: Check at least one (e.g., Web Scan and Dark Web Scan to stack them).

  3. Build Expressions:        

    • Field Name: Dropdown or type (e.g., domain).

    • Operator: Select (e.g., =, !=, * for wildcard).

    • Value: Enter (e.g., crypto*).

  4. Add More Conditions: Click the sign for additional expressions.
    Input fields for domain filtering with options for operator and value selection.

  5. Sort Order (Optional): Select a field (e.g., scan_date descending).

  6. Click Search.

Tip

Stacking Web Scan + Dark Web Scan? Start with broad fields like htmltitle to cross-reference threats.

Example: Stack Web and Dark Web for Phishing Domains

  • Data Sources: Web Scan AND Dark Web Scan      

  • Expression 1: domain = bank*      

  • Expression 2: htmltitle * login      

  • Sort: scan_date (descending)    

  • Result: Bank-themed login pages on both surface and dark web, sorted newest first.
    Selecting data sources for a search query involving domain and HTML title.

Edit and Save

  • Save: Enter Name and Description; click Save. Access saved queries via My Searches.

  • Edit: Modify expressions post-search; click Search to re-run.

Advanced Search: SPQL Syntax for Precise Stacking

Use command-line-like SPQL to stack sources explicitly with datasource conditions.

Understand SPQL for Stacking

  • SPQL queries: field operator value [AND/OR] field operator value.  

  • To stack: Use datasource = "webscan" AND datasource = "torscan" (for Web + Dark Web).  

  • Spaces separate elements; wildcards (*), regex (~=), and date math (e.g., now-7d) enhance precision.

Create a Query

  1. Select the Advanced Search tab; click New.

  2. Enter SPQL Query: E.g., datasource = "webscan" AND datasource = "torscan" AND domain = bank*.

  3. Sort Order (Optional): E.g., scan_date/desc.

  4. Press Enter or click the blue arrow.

Pro Tip: Test SPQL in the CLI tool first for complex stacks.

Example: Stack for Recent Threats

  • Query: datasource = "webscan" AND datasource = "torscan" AND htmltitle = "*credit card*" AND scan_date > now-30d      

  • Sort: scan_date/desc      

  • Result: Credit card mentions on the web and dark web from the last 30 days.

Edit and Save

  • Edit: Click Web Scanner Search Form to expand, modify, and re-run.

  • Save: Same as Simple Search.

Advanced Examples: Stacking in Action

Example

Stacked Sources

SPQL/Simple Query

Expected Results

Brand Impersonation Across Webs

Web Scan + Dark Web

datasource = "webscan" AND datasource = "torscan" AND favicon_murmur3 = "309020573" AND ssl.subject.organization != "YourBrand, Inc."

Sites using your favicon without your cert, on clearnet and Tor.

Web Resources + Open Directory

datasource = "webresources" AND datasource = "opendirectory" AND resource_hostname = "example.com" AND header.content-type = "*javascript*" AND scan_date >= now-30d

JS files on your site and open dirs, last 30 days.

WHOIS + Banner Scan

datasource = "whois" AND datasource = "bannerscan" AND email = "suspicious@email.com" AND header.server != "nginx" AND scan_date > now-90d

Servers with matching WHOIS email, non-standard banners, and recent.

Troubleshooting and Tips

  • No Results? Verify that data sources are enabled and check the field names in Field Names. Use broad wildcards first.

  • Performance: Limit results with limit=100 in API/CLI; stack sparingly for large queries.

  • API/CLI Integration: Export saved queries to API or CLI for automation.

  • Errors: Invalid SPQL? Escape quotes in values; regex needs ~=.

Resources