Save and Automate Feed Search Queries

Updated
  • Updated on Nov 13, 2025
  • Published on Nov 13, 2025
  • 6 minute(s) read
Prev Next

Our unified query management modal streamlines SPQL queries in the Feed Search interface, making things smoother and more efficient. It consolidates saving, sharing, monitoring, and exporting into a single, intuitive interface, eliminating fragmented workflows and providing you with better control and visibility over your queries. This update connects everything—what used to be scattered across separate modals, so you can save a query once and easily set up ongoing automation, collaboration, and alerts in a single step.

Overview

When you save a query, the modal prompts you to configure everything at once:

  • Name and Description: Required fields for easy identification; these apply to the saved query, any associated monitor, and automation exports.

  • Tags: Optional labels for organization and quick filtering (up to 4 tags supported).

  • Save Column Headers: Preserve your preferred data structure for consistent results.

  • Share with Organization: Toggle to collaborate: share the query (and its monitor/export settings) with your team for reuse.

  • Monitor: Enable proactive tracking with customizable notifications. Defaults pull from your global Notification Settings, but you can override per query:        

    • In-App alerts.

    • Email.

    • Slack.

    • Microsoft Teams.

    • Custom webhook.

  • Automate Export: Set up hands-off daily exports without manual intervention:        

    • Choose “Indicators Only” (basic fields) or “Enriched” (full dataset).

    • Defaults to your query's column headers; add up to 10 additional fields (e.g., Vendor, Category, Type, First Seen, Last Seen, SP Risk Score).

    • Available formats (CSV, JSON,  STIX, or TAXII) are accessible after saving the query; click Manage to select and download.

    • After saving and generating the first export, access a dedicated endpoint (e.g., https://api.silentpush.com/export/{query-id}) for integration with external systems.

Once configured, exports appear in the Organization Exports section (formerly known as Data Exports), and monitors are listed in the Monitored Queries tab. No more separate buttons for Automate Export or Monitor—these are now unified here.

Note

These settings override your default account preferences under Notification Settings, but only apply to this query.

Create a New Query

  1. From the left navigation, select Threat Intelligence Management > Feed Search.

  2. Select a query category and type, then enter the relevant parameters (e.g., domain name).

  3. Click Search to run the query and review the results.

  4. Click Save to open the modal.
    User interface for Feed Search with options to save and select data sources.

  5. Fill in Name, Description, and Tags (optional).

  6. Toggle Save Column Headers if desired.

  7. Enable Share with Organization for team access.
    Creating a saved query with SPQL query details and description fields filled.

  8. Toggle Monitor and select notification channels (e.g., Email + Slack).
    Settings for monitoring a query with various notification options displayed on the screen.

  9. Toggle Automate Export and select the mode/fields.
    Interface for creating a saved query with options for data export and indicators.

  10. Click Save to apply all settings. Exports will be generated daily.

  11. To access formats (CSV, JSON, etc.) or the API endpoint, click Manage in Monitored Queries or Organization Exports to reopen the modal and select your preferred file format.

Your query is now saved and ready for reuse. If you enabled sharing, it’s accessible to your organization. If monitoring is toggled on, it appears in the Monitored Queries tab, displaying details such as active status, query URL, type (e.g., Feed Search), creator, age, and history. Click Manage to edit notifications or toggle them on or off.

For exports, once the first automated run completes (daily schedule), it lists in Organization Exports with your description, credit cost, observable/export types (e.g., mixed/enriched), available file formats (e.g., CSV, JSON, STIX), and buttons to Download File, Manage settings, or Automate Export further. All actions sync seamlessly across tabs.

Example Queries

To get started, try these beginner-friendly examples in Threat Intelligence Management > Feed Search. Adapt as needed for your threat hunting.

Category

Field/Operator/Value

Description

Expected Results

Why Use for Export

Domain

datasource One of FEED AND domain_urls.results_summary.tranco_top10k Equals true

Excludes domains listed on the Tranco Top 10k most popular domains list

Domains from threat feeds that match the Tranco Top 10k list (e.g., high-traffic benign sites flagged in feeds)

Helps filter out false positives from popular domains; export as CSV/JSON for integration into broader blocklists or whitelists to reduce noise in threat hunting.

IP

datasource One of FEED AND ip is tor exit node Equals true AND asn_reputation_score Greater than 50

IPs recognised as TOR exit nodes within trusted networks associated with a particular ASN

TOR exit node IPs from feeds with high ASN Reputation scores (e.g., IPs in reputable networks used for anonymized traffic)

Identifies risky anonymized traffic sources; enriched mode adds context such as ASN details for firewalls or SIEM feeds via STIX/TAXII exports.

IOA

datasource = "FEED" AND feed_category = "ioa" AND first_seen_on >= "now-1d"

Searches for recent IOA (Indicators of Attack) indicators from production feeds added in the last day

Newly reported IOAs, such as IPs, domains, or hashes from IOA-specific feeds (e.g., emerging threats or attack patterns)

Captures fresh, time-sensitive threat data for rapid response; export in JSON/STIX for quick integration into SIEM/SOAR tools or automated alerting workflows.

Enhanced Monitoring Options

Monitoring keeps you ahead of threats with flexible, per-query alerts. Enable it during save or edit later via Manage in Monitored Queries.

  • Mix and match channels (In-App, Email, Slack, Teams, Custom Webhook). The query's Name and Description auto-populate for clear tracking in alerts.

  • In Monitored Queries, see active status, query URL, type, creator, and history.

  • Click Manage to reopen the modal and update notifications, toggle the active/inactive status, or adjust sharing settings without recreating the query.

Deactivating a monitor stops alerts but preserves the saved query.

Automation Details

Automate daily exports to streamline workflows. Files won't exist until you've saved the query and the first export has been generated.

During save or edit (via Manage), select mode and fields. Enriched mode includes additional features, such as risk scores, for more in-depth analysis. Available file formats (CSV, JSON, TXT, RPZ, STIX, TAXII) can then be selected and downloaded directly.

Files land in Organization Exports with a dedicated API endpoint for SIEM/SOAR integration. You can grab files here or continue using the traditional Data Exports method.

In Organization Exports, use the Manage button (now opens the full modal) to tweak settings, select formats, or download. Exports auto-remove if automation is disabled.

Revisit any saved query via Monitored Queries or Organization Exports:

  • Search by name or URL.

  • Click Manage to edit in the unified modal; update the Name/Description (which carries over to monitor/export), tags, sharing, notifications, or automation settings. Reopen the Export tab here to select file formats if needed.

  • Toggle options on/off; changes sync across tabs (e.g., disabling export removes it from Organization Exports).

  • View history or explore results directly.

This replaces the Edit Monitor Metadata modal.

Workflow Benefits

  • Save once, set up everything. This reduces clicks and confusion.

  • Tailor fields, notifications, and sharing per query.

  • Easy organization-wide access without duplication.

  • Automated exports and alerts free up time for analysis.

Related articles