This article provides examples of SPQL queries to demonstrate syntax application. Refer to SPQL Syntax Rules for syntax details and Understand field names for available fields.
Example 1
Search DDOS
in htmltitle
and header.server
with http success code (200).
htmltitle = "DDoS* not configured" AND response = 200 AND header.server = ddos*
Example 2
Find domains starting with mendicant
(not .com
TLD) scanned in the last 30 days.
domain = mandiant.* AND domain != mandiant.com AND scan_date > now-30d
Example 3
Search for servers with specific content-type, not running Apache or nginx, in IP ranges 83.143.113.0/16
or 92.205.3.0/16
, with opendirectory
enabled and cpanel
in SSL certificate names, scanned in the last 10 days.
header.content-type = "text/html; charset=iso-8859-1" AND header.server != Apache AND header.server != nginx AND ip = [83.143.113.0/16, 92.205.3.0/16] AND opendirectory = true AND ssl.sans = cpanel* AND scan_date > now-10d
Example 4
Find domains in SSL certificate names matching silent[a-z].+\.io
, not matching silent.*
in the domain name, with a non-empty domain, in IP ranges 13.249.0.0/16
or 52.84.0.0/16
, scanned in the last 30 days.
scan_date > now-30d AND ssl.sans ~= /^silent[a-z].+\.io$/ AND domain !~= /silent.*/ AND domain ~= /.+/ AND ip = [13.249.0.0/16, 52.84.0.0/16]
Notes: Use SPQL API functionality to execute queries via the API.
See SPQL data sources for querying specific repositories.