Manage and run queries

Updated
  • Updated on Sep 16, 2025
  • Published on Jan 16, 2025
  • 3 minute(s) read
Prev Next

Locate, run, and filter queries

Manage saved queries from the Total View Web Search tab. Start by saving findings to Feeds in Total View. See Web Search for tips on how to save findings.

Locate and run a saved query

Web Search enables you to access and run previously saved or recently executed queries.

  1. From the left navigation menu, select Web Data, and then select Web Search.

  2. Select My Searches.

  3. Click the Saved tab to view all saved queries.

  4. Select the Recent tab to view recently executed queries.

  5. In the Search saved queries box, type the name of the query you are searching for.

Run a query

  1. Click the desired query from the list to execute it.

  2. Results will appear in a collapsible Results table.

Apply filters to a query

You can refine the saved queries using filters to quickly find specific queries.

  1. In the My Searches section, click Filter & Sorting to access and apply filters.

  2. Configure your desired filters and click Apply.

Use the following table to understand the filters available in your saved queries to help you identify a specific saved query:

Filter

Description

Filter by tag

Type the name of the tag to filter saved queries by.

Filter by type

From the dropdown menu, select whether the query type is Shared or Private.

Sorting

Select how your saved queries are presented.

Type

Select if your query type is either:  
Shared: Available to other users in the organization.
Private: Available only to yourself.

Alphabetic

Select how your saved queries are presented alphabetically:  Ascending: Arranged from A-Z.  
Descending: Arranged from Z-A.

Creation date

Select how your saved queries are presented by age:  
Newest: Start with your most recently saved queries.
Oldest: Start with your oldest saved queries.

Construct and execute queries

Web Search supports query construction using two methods: Command Line (using SPQL syntax) or Constructor (a UI-based query builder). Queries can target specific data sources, such as webscan or torscan, and use field names to define search parameters.

Command Line query example

To scan for IPs hosted in Japan within the last seven days:

scan_date > now-7d AND tld = jp

Breakdown

  • scan_date: Field name for the scan date.

  • >: Operator meaning “is greater than”

  • now-7d: Value for the last 7 days.

  • AND: Separator linking conditions.

  • tld: Field name for the top-level domain.

  • =: Operator meaning “is equal to”

  • jp: Value for Japan.

Constructor Query example

The same query can be built using the Constructor feature:

  1. Navigate to Explore Scan Data > Web Search.

  2. Select the Constructor option.

  3. Add expressions:

    1. Expression 1: Field = scan_date, Operator = >, Value = now-7d.

    2. Expression 2: Field = tld, Operator = =, Value = jp.

    3. Link expressions with the AND separator.

  4. Execute the query to retrieve results.

Query multiple data sources

To search across multiple data sources, specify them in square brackets.

domain = "payments*" AND datasource = [webscan, torscan]

This query searches for domains starting with payments in both the webscan and torscan data sources.

Save queries

To save a query for future use:

  1. After constructing a query (via Command Line or Constructor), click Save.

  2. Assign a name and choose the query type (Shared or Private).

  3. Optionally, add tags for easier filtering later.

For more details on data sources and field names, refer to the Field Names article.

Practical use case: detecting fake banking pages

Protecting your brand and identifying phishing attempts is a key application of Web Search. This step-by-step guide shows how to uncover fake banking pages, leveraging its query capabilities.

What you’ll need

  • Access to Silent Push’s app.

  • A target bank domain you suspect is being impersonated (e.g., aib.ie for Allied Irish Banks).

Step-by-Step guide

  1. Start with the target domain: Enter the bank domain (e.g., aib.ie) to set your search foundation.

  2. Choose your query method: Use the Constructor tab to build the query visually, then switch to the Command Line tab for results.

  3. Expand and analyze results: Run an initial search, expand a result to view fields like favicon_md5_hash and ssl.subject_common_name.

  4. Add the Favicon match: Click favicon_md5_hash and add it with = to match the bank’s favicon.

  5. Filter by Certificate Provider: Note the legitimate provider (e.g., Digicert), click it, and add != to exclude it.

  6. Exclude the legitimate domain: Set domain != aib.ie to focus on impostors.

  7. Run the Full Query: Your query (e.g., favicon_md5_hash = [AIB_hash] AND ssl.subject_common_name != "Digicert" AND domain != "aib.ie") targets non-legitimate pages. Run it and view results in the Command Line tab.

  8. Review and enrich results: Spot fake pages (e.g., hosted in Russia). Select a result, click Enrich to see threat feed data confirming malicious intent.

  9. Pivot for deeper insights: Enrich another result, pivot to the IP, and select Lookup PADNS to reveal DNS history, uncovering clusters of phishing pages (e.g., targeting Australian government or Macquarie).

This method uses unique content (favicons, certificates) to detect impersonation. Pivoting to DNS and enrichment feeds maps out threats, making it essential for safeguarding your digital presence.