Read query examples

  • Updated on Oct 6, 2023
  • Published on Oct 4, 2023
  • 1 minute(s) read
Prev Next

Example 1

Search htmltitle and header.server for a ddos string and http success code.

Syntax

htmltitle = "DDoS* not configured" AND response = 200 AND header.server = ddos*

Example 2

Description: Search for a domain name not in .com TLD, scanned less than 30 days ago.

Syntax

domain = mandiant.* AND domain != mandiant.com AND scan_date > now-30d

Example 3

Search for content-type strings on servers that are not Apache or nginx, across 83.143.113.0/16 or 92.205.3.0/16 with opendirectory and cpanel in the SSL certificate names

Syntax

header.content-type = "text/html; charset=iso-8859-1"
AND header.server != Apache
AND header.server != nginx
AND ip = [83.143.113.0/16, 92.205.3.0/16]
AND opendirectory = true
AND ssl.sans = cpanel*
AND scan_date > now-10d

Example 4

Regular expression search: domain in SSL certificate names, not matching domain name and domain name is not empty, within one of the given network ranges.

Syntax

scan_date > now-30d
AND ssl.sans ~= /^silent[a-z].+\.io$/
AND domain !~= /silent.*/
AND domain ~= /.+/
AND ip = [13.249.0.0/16, 52.84.0.0/16]