SPQL query examples

Prev Next

This article provides examples of Silent Push Query Language (SPQL) queries to demonstrate syntax application. Refer to SPQL syntax rules for syntax details and Field names for available fields.

Example 1: Websites with PayPal favicon but no PayPal SSL cert

Search for websites using PayPal’s favicon that are not using a PayPal SSL certificate.

datasource = "webscan" AND favicon_murmur3 = "309020573" AND domain !~= "\s*$" AND ssl.subject.organization != "PayPal, Inc."

Example 2: JS files on silentpush.com scanned in the last 30 days

Find JavaScript files used by the silentpush.com website that have been scanned in the past 30 days.

datasource = "webresources" AND resource_hostname = "www.silentpush.com" AND header.content-type = "*javascript*" AND scan_date >= "now-30d"

Example 3: Dark web sites selling credit cards (Sep 2025)

Find dark web sites selling credit card details scanned in September of 2025.

datasource = "torscan" AND htmltitle = "*credit card*" AND scan_date >= "2025-09-01" AND scan_date <= "2025-09-30"

Example 4: .exe. files in open directories (past week)

Find executable files hosted on open directories scanned within the past week.

datasource = "opendirectory" AND scan_date > "now-7d" AND name = "*.exe"

Example 5: WHOIS records for specific email

Find WHOIS records matching a specific email address.

datasource = "whois" AND email = "bankcentralasiabcajakarta1@gmail.com"

Example 6: Mandiant subdomains

Find web scans where the subdomain is named mandiant, the domain is not mandiant.com, and was scanned in the last year.

datasource = "webscan" AND domain = mandiant.* AND domain != mandiant.com AND scan_date > now-1y

Example 7: Domains in IP ranges

Advanced example: Search for domains that are hosted in IP ranges 13.249.0.0/16 or 52.84.0.0/16, don’t have a .com TLD, where their HTML title references “login”, and were scanned in the last 90 days.

datasource = "webscan" AND domain ~= /.+/ AND ip = [104.26.0.0/20, 172.67.64.0/18] AND tld != "com" AND htmltitle = "*login*" AND scan_date > now-90d

Example 8: Servers with custom content-type

Advanced example: Search for servers with a specific content-type, not running Apache or Nginx, with an Open Directory detected, have “cpanel” referenced in their SSL certificate sans name, and scanned in the last 2 years.

datasource = "webscan" AND header.content-type = "text/html; charset=iso-8859-1" AND header.server != "Apache" AND header.server != "nginx" AND opendirectory = "true" AND ssl.sans = "cpanel*" AND scan_date > "now-2y"

Notes: Use SPQL API functionality to execute queries via the API. See SPQL data sources for querying specific repositories.