This article provides examples of SPQL queries to demonstrate syntax application. Refer to SPQL Syntax Rules for syntax details and Understand field names for available fields.
Example 1
Search DDOS in htmltitle and header.server with http success code (200).
htmltitle = "DDoS* not configured" AND response = 200 AND header.server = ddos*Example 2
Find domains starting with mendicant (not .com TLD) scanned in the last 30 days.
domain = mandiant.* AND domain != mandiant.com AND scan_date > now-30dExample 3
Search for servers with specific content-type, not running Apache or nginx, in IP ranges 83.143.113.0/16 or 92.205.3.0/16, with opendirectory enabled and cpanel in SSL certificate names, scanned in the last 10 days.
header.content-type = "text/html; charset=iso-8859-1" AND header.server != Apache AND header.server != nginx AND ip = [83.143.113.0/16, 92.205.3.0/16] AND opendirectory = true AND ssl.sans = cpanel* AND scan_date > now-10dExample 4
Find domains in SSL certificate names matching silent[a-z].+\.io, not matching silent.*in the domain name, with a non-empty domain, in IP ranges 13.249.0.0/16 or 52.84.0.0/16, scanned in the last 30 days.
scan_date > now-30d AND ssl.sans ~= /^silent[a-z].+\.io$/ AND domain !~= /silent.*/ AND domain ~= /.+/ AND ip = [13.249.0.0/16, 52.84.0.0/16]Notes: Use SPQL API functionality to execute queries via the API.
See SPQL data sources for querying specific repositories.