This article provides examples of Silent Push Query Language (SPQL) queries to demonstrate syntax application. Refer to SPQL syntax rules for syntax details and Field names for available fields.
Example 1: Websites with PayPal favicon but no PayPal SSL cert
Search for websites using PayPal’s favicon that are not using a PayPal SSL certificate.
datasource = "webscan" AND favicon_murmur3 = "309020573" AND domain !~= "\s*$" AND ssl.subject.organization != "PayPal, Inc."
Example 2: JS files on silentpush.com scanned in the last 30 days
Find JavaScript files used by the silentpush.com website that have been scanned in the past 30 days.
datasource = "webresources" AND resource_hostname = "www.silentpush.com" AND header.content-type = "*javascript*" AND scan_date >= "now-30d"
Example 3: Dark web sites selling credit cards (Sep 2025)
Find dark web sites selling credit card details scanned in September of 2025.
datasource = "torscan" AND htmltitle = "*credit card*" AND scan_date >= "2025-09-01" AND scan_date <= "2025-09-30"
Example 4: .exe. files in open directories (past week)
Find executable files hosted on open directories scanned within the past week.
datasource = "opendirectory" AND scan_date > "now-7d" AND name = "*.exe"
Example 5: WHOIS records for specific email
Find WHOIS records matching a specific email address.
datasource = "whois" AND email = "bankcentralasiabcajakarta1@gmail.com"
Example 6: Mandiant subdomains
Find web scans where the subdomain is named mandiant, the domain is not mandiant.com, and was scanned in the last year.
datasource = "webscan" AND domain = mandiant.* AND domain != mandiant.com AND scan_date > now-1y
Example 7: Domains in IP ranges
Advanced example: Search for domains that are hosted in IP ranges 13.249.0.0/16 or 52.84.0.0/16, don’t have a .com TLD, where their HTML title references “login”, and were scanned in the last 90 days.
datasource = "webscan" AND domain ~= /.+/ AND ip = [104.26.0.0/20, 172.67.64.0/18] AND tld != "com" AND htmltitle = "*login*" AND scan_date > now-90d
Example 8: Servers with custom content-type
Advanced example: Search for servers with a specific content-type, not running Apache or Nginx, with an Open Directory detected, have “cpanel” referenced in their SSL certificate sans name, and scanned in the last 2 years.
datasource = "webscan" AND header.content-type = "text/html; charset=iso-8859-1" AND header.server != "Apache" AND header.server != "nginx" AND opendirectory = "true" AND ssl.sans = "cpanel*" AND scan_date > "now-2y"
Notes: Use SPQL API functionality to execute queries via the API. See SPQL data sources for querying specific repositories.