SPQL query examples

Prev Next

This article provides examples of SPQL queries to demonstrate syntax application. Refer to SPQL Syntax Rules for syntax details and Understand field names for available fields.

Example 1

Search DDOS in htmltitle and header.server with http success code (200).

htmltitle = "DDoS* not configured" AND response = 200 AND header.server = ddos*

Example 2

Find domains starting with mendicant (not .com TLD) scanned in the last 30 days.

domain = mandiant.* AND domain != mandiant.com AND scan_date > now-30d

Example 3

Search for servers with specific content-type, not running Apache or nginx, in IP ranges 83.143.113.0/16 or 92.205.3.0/16, with opendirectory enabled and cpanel in SSL certificate names, scanned in the last 10 days.

header.content-type = "text/html; charset=iso-8859-1" AND header.server != Apache AND header.server != nginx AND ip = [83.143.113.0/16, 92.205.3.0/16] AND opendirectory = true AND ssl.sans = cpanel* AND scan_date > now-10d

Example 4

Find domains in SSL certificate names matching silent[a-z].+\.io, not matching silent.*in the domain name, with a non-empty domain, in IP ranges 13.249.0.0/16 or 52.84.0.0/16, scanned in the last 30 days.

scan_date > now-30d AND ssl.sans ~= /^silent[a-z].+\.io$/ AND domain !~= /silent.*/ AND domain ~= /.+/ AND ip = [13.249.0.0/16, 52.84.0.0/16]

Notes: Use SPQL API functionality to execute queries via the API.
See
SPQL data sources for querying specific repositories.