Censys v2
This Integration is part of the Censys Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
Built on the industry’s most comprehensive Internet Map, the Censys Platform delivers unmatched visibility into global internet assets, adversary infrastructure, and evolving threats. This integration was integrated and tested with version 2.0 of Censys.
Some changes have been made that might affect your existing content. If you are upgrading from a previous of this integration, see Breaking Changes.
Configure Censys v2 in Cortex#
| Parameter | Description | Required |
|---|---|---|
| Server URL | The URL of the Censys API server. | True |
| API Token | Personal Access Token from Censys Platform | True |
| Organization ID | The unique identifier for your Censys organization. | True |
| Trust any certificate (not secure) | False | |
| Use system proxy settings | False | |
| Determine IP score by labels (for paid subscribers) | Censys API provides reputation data exclusively to paid subscribers. When set to True, the integration will use labels to determine the IP score. | False |
| IP Malicious labels | Used only when `Determine IP score by labels` is set. Labels to classify IP as Malicious. Input can be an array or comma-separated values. | False |
| IP Suspicious labels | Used when `Determine IP score by labels` is set. Labels to classify IP as Suspicious. Input can be an array or comma-separated values. | False |
| Malicious labels threshold | Determines the minimum number of labels returned that are classified as malicious for IP. | False |
| Suspicious labels threshold | Determines the minimum number of labels returned that are classified as suspicious for IP. | False |
| Source Reliability | Reliability of the source providing the intelligence data. |
Commands#
You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
cen-view#
Returns detailed information for an IP address or SHA256 within the specified index.
Base Command#
cen-view
Input#
| Argument Name | Description | Required |
|---|---|---|
| query | The IP address of the requested host. | Required |
| index | The index from which to retrieve data. Possible values are: ipv4, certificates. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Censys.View.autonomous_system.asn | Number | The autonomous system number (ASN) that the host is in. |
| Censys.View.autonomous_system.bgp_prefix | String | The autonomous system's CIDR. |
| Censys.View.autonomous_system.country_code | String | The autonomous system's two-letter, ISO 3166-1 alpha-2 country code (e.g., US, CN, GB, RU). |
| Censys.View.autonomous_system.description | String | A brief description of the autonomous system. |
| Censys.View.autonomous_system.name | String | The friendly name of the autonomous system. |
| Censys.View.dns.names | String | DNS Names. |
| Censys.View.ip | String | The host’s IP address. |
| Censys.View.location.continent | String | The continent of the host's detected location (e.g., North America, Europe, Asia, South America, Africa, Oceania). |
| Censys.View.location.coordinates | Unknown | The estimated coordinates of the host's detected location. |
| Censys.View.location.country | String | The name of the country of the host's detected location. |
| Censys.View.location.country_code | String | The two-letter ISO 3166-1 alpha-2 country code of the host's detected location (e.g., US, CN, GB, RU). |
| Censys.View.location.postal_code | String | The postal code (if applicable) of the host's detected location. |
| Censys.View.location.timezone | String | The IANA time zone database name of the host's detected location. |
| Censys.View.services.dns | Unknown | DNS information. |
| Censys.View.services.port | Number | The port the service was reached at. |
| Censys.View.services.protocol | String | The name of the service on the port. This is typically the L7 protocol (e.g., “HTTP”); however, in the case that a more specific HTTP-based protocol is found (e.g., Kubernetes or Prometheus), the field will show that. This field indicates where protocol-specific data will be located. |
| Censys.View.services.transport_protocol | String | The transport protocol (known in OSI model as L4) used to contact this service (i.e., UDP or TCP). |
| Censys.View.services.banner | String | The banner as a part of the protocol scan. That field will be nested in the protocol-specific data under the service_name field. |
| Censys.View.services.cert | Unknown | A subset of the parsed details of the certificate, including the issuer, subject, fingerprint, names, public keys, and signature. |
| Censys.View.fingerprint_sha256 | String | The SHA2-256 digest over the DER encoding of the certificate. |
| Censys.View.fingerprint_md5 | String | The MD5 digest over the DER encoding of the certificate. |
| Censys.View.fingerprint_sha1 | String | The SHA1 digest over the DER encoding of the certificate. |
| Censys.View.fingerprint_sha256 | String | The SHA2-256 digest over the DER encoding of the certificate. |
| Censys.View.parsed.issuer.common_name | String | Common name. |
| Censys.View.parsed.issuer.country | String | Country name. |
| Censys.View.parsed.issuer.organization | String | Organization name. |
| Censys.View.parsed.issuer_dn | String | Information about the certificate authority that issued the certificate. |
| Censys.View.parsed.serial_number | String | The issuer-specific identifier of the certificate. |
| Censys.View.parsed.signature.signature_algorithm.name | String | Name of signature algorithm, e.g., SHA1-RSA or ECDSA-SHA512. Unknown algorithms get an integer ID. |
| Censys.View.parsed.signature.signature_algorithm.oid | String | The object identifier of the signature algorithm, in dotted-decimal notation. |
| Censys.View.parsed.subject.common_name | String | Common name. |
| Censys.View.parsed.subject.country | String | Country name. |
| Censys.View.parsed.subject.locality | String | Locality name. |
| Censys.View.parsed.subject.organization | String | The name of the organization to which the certificate was issued, if available. |
| Censys.View.parsed.subject.province | String | State of province name. |
| Censys.View.parsed.subject_dn | String | Information about the entity that was issued the certificate. |
| Censys.View.parsed.subject_key_info.fingerprint_sha256 | String | The SHA2-256 digest calculated over the certificate's DER encoding. |
| Censys.View.parsed.subject_key_info.key_algorithm.name | String | Name of public key type, e.g., RSA or ECDSA. |
| IP.Address | String | IP address. |
| IP.ASN | String | The autonomous system name for the IP address, for example: "AS8948". |
| IP.Geo.Location | String | The geolocation where the IP address is located, in the format: latitude:longitude. |
| IP.Geo.Country | String | The country in which the IP address is located. |
| IP.Geo.Description | String | Additional information about the location. |
| IP.ASOwner | String | The autonomous system owner of the IP. |
| DBotScore.Indicator | String | The indicator that was tested. |
| DBotScore.Type | String | The indicator type. |
| DBotScore.Vendor | String | The vendor used to calculate the score. |
| DBotScore.Score | Number | The actual score. |
Command example#
!cen-view index=ipv4 query=8.8.8.8
Context Example#
cen-search#
Return previews of hosts matching a specified search query or a list of certificates that match the given query.
Base Command#
cen-search
Input#
| Argument Name | Description | Required |
|---|---|---|
| query | Query used to search for hosts with matching attributes. Uses the Censys Search Language. | Required |
| page_size | The maximum number of hits to return in each response (minimum of 0, maximum of 100). (Applies for the host search.). Default is 50. | Optional |
| limit | The number of results to return. Default is 50. | Optional |
| index | The index from which to retrieve data. Possible values are: ipv4, certificates. | Required |
| fields | The fields to return. (Applies for the certificates search.). | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Censys.Search.autonomous_system.asn | Number | The autonomous system number (ASN) that the host is in. |
| Censys.Search.autonomous_system.bgp_prefix | String | The autonomous system's CIDR. |
| Censys.Search.autonomous_system.country_code | String | The autonomous system's two-letter, ISO 3166-1 alpha-2 country code (e.g., US, CN, GB, RU). |
| Censys.Search.autonomous_system.description | String | A brief description of the autonomous system. |
| Censys.Search.autonomous_system.name | String | The friendly name of the autonomous system. |
| Censys.Search.ip | String | The host’s IP address. |
| Censys.Search.location.continent | String | The continent of the host's detected location (e.g., North America, Europe, Asia, South America, Africa, Oceania). |
| Censys.Search.location.coordinates | Unknown | The estimated coordinates of the host's detected location. |
| Censys.Search.location.country | String | The country of the host's detected location. |
| Censys.Search.location.country_code | String | The two-letter ISO 3166-1 alpha-2 country code of the host's detected location (e.g., US, CN, GB, RU). |
| Censys.Search.location.timezone | String | The IANA time zone database name of the host's detected location. |
| Censys.Search.services.port | Number | The port the service was reached at. |
| Censys.Search.services.protocol | String | The name of the service on the port. This is typically the L7 protocol (e.g., “HTTP”); however, in case a more specific HTTP-based protocol is found (e.g., Kubernetes or Prometheus), the field will show that. This field indicates where protocol-specific data will be located. |
| Censys.Search.services.transport_protocol | String | The transport protocol (known in OSI model as L4) used to contact this service (i.e., UDP or TCP). |
| Censys.Search.fingerprint_sha256 | String | SHA 256 fingerprint. |
| Censys.Search.parsed.issuer.organization | Unknown | The organization name. |
| Censys.Search.names | Unknown | Common names for the entity. |
| Censys.Search.parsed.subject_dn | String | Distinguished name of the entity that the certificate belongs to. |
| Censys.Search.parsed.validity_period.not_after | Date | Timestamp of when the certificate expires. Time zone is UTC. |
| Censys.Search.parsed.validity_period.not_before | Date | Timestamp of when the certificate is first valid. Time zone is UTC. |
| Censys.Search.parsed.issuer_dn | String | Distinguished name of the entity that has signed and issued the certificate. |
Command example#
!cen-search index=certificates query="cert.parsed.issuer.common_name: \"Let's Encrypt\"" limit=1
Context Example#
Human Readable Output#
Search results for query "cert.parsed.issuer.common_name: "Let's Encrypt""#
Issuer Issuer DN SHA256 Subject DN Validity not after Validity not before Let's Encrypt C=US, ST=Let's Encrypt, O=Let's Encrypt, CN=Let's Encrypt Authority X3 0003da4aee3b252097bfc7f871ab6fbe3e08eb94c34ff5cea91aaa29248d3c8b C=AU, ST=Some-State, O=Internet Widgits Pty Ltd 2026-04-15T00:50:59Z 2025-04-15T00:50:59Z
Command example#
!cen-search index=ipv4 query="host.services.protocol:HTTP" limit=1
Context Example#
domain#
Return all related IPs as relationships.
Base Command#
domain
Input#
| Argument Name | Description | Required |
|---|---|---|
| domain | A comma-separated list of domains to check. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Censys.Domain.location.postal_code | String | The postal code of the location associated with the domain. |
| Censys.Domain.location.province | String | The province name of the location associated with the domain. |
| Censys.Domain.location.country_code | String | The country code of the location associated with the domain. |
| Censys.Domain.location.timezone | String | The time zone of the location associated with the domain. |
| Censys.Domain.location.country | String | The country name of the location associated with the domain. |
| Censys.Domain.location.coordinates.longitude | Number | The longitude coordinate of the location associated with the domain. |
| Censys.Domain.location.coordinates.latitude | Number | The latitude coordinate of the location associated with the domain. |
| Censys.Domain.location.continent | String | The continent name of the location associated with the domain. |
| Censys.Domain.location.city | String | The city name of the location associated with the domain. |
| Censys.Domain.autonomous_system.country_code | String | The country code of the autonomous system associated with the domain. |
| Censys.Domain.autonomous_system.asn | Number | The Autonomous System Number (ASN) associated with the domain. |
| Censys.Domain.autonomous_system.name | String | The name of the autonomous system associated with the domain. |
| Censys.Domain.autonomous_system.bgp_prefix | String | The BGP prefix of the autonomous system associated with the domain. |
| Censys.Domain.autonomous_system.description | String | The description of the autonomous system associated with the domain. |
| Censys.Domain.services.transport_protocol | String | The transport protocol used by the service associated with the domain. |
| Censys.Domain.services.port | Number | The port number associated with the service associated with the domain. |
| Censys.Domain.services.protocol | String | The name of the service associated with the domain. |
| Censys.Domain.services.cert | String | The SSL/TLS certificate associated with the service associated with the domain. |
| Censys.Domain.ip | String | The IP address associated with the domain. |
| Censys.Domain.dns.reverse_dns.names | String | The reverse DNS names associated with the domain. |
| Domain.Name | string | The domain. |
| Domain.Relationships.EntityA | string | The domain name. |
| Domain.Relationships.EntityAType | string | The entity type. |
| Domain.Relationships.EntityB | string | The entity B. |
| Domain.Relationships.EntityBType | string | The entity B type. |
| Domain.Relationships.Relationship | string | The relationship type. |
| DBotScore.Indicator | unknown | The indicator that was tested. |
| DBotScore.Type | unknown | The indicator type. |
| DBotScore.Score | unknown | The actual score. |
| DBotScore.Vendor | unknown | The vendor used to calculate the score. |
Command example#
!domain domain=amazon.com,google.com
Context Example#
Human Readable Output#
Information for IP 8.8.8.8#
ASN Network Protocols Routing Whois Last Updated 15169 GOOGLE - Google LLC 53/DNS, 443/UNKNOWN, 443/HTTP, 853/UNKNOWN 8.8.8.0/24 2023-12-28T00:00:00Z
Command example#
!cen-view index=certificates query=9d3b51a6b80daf76e074730f19dc01e643ca0c3127d8f48be64cf3302f6622cc limit=1
Context Example#
Human Readable Output#
Information for certificate#
Added At Browser Trust Modified At SHA 256 Validated At 1970-01-01T00:00:00Z nss: Invalid,
microsoft: Valid,
apple: Valid,
chrome: Invalid2024-01-23T12:12:35Z 9d3b51a6b80daf76e074730f19dc01e643ca0c3127d8f48be64cf3302f6622cc 2023-09-09T05:55:46Z
cen-search#
Returns previews of hosts matching a specified search query, or a list of certificates that match the given query.
Base Command#
cen-search
Input#
| Argument Name | Description | Required |
|---|---|---|
| query | Query used to search for hosts with matching attributes. Uses the Censys Search Language. | Required |
| page_size | The maximum number of hits to return in each response (minimum of 0, maximum of 100). Default is 50. (Applies for the host search.) | Optional |
| limit | The number of results to return. Default is 50. | Optional |
| index | The index from which to retrieve data. Possible values are: ipv4, certificates. | Required |
| fields | The fields to return. (Applies for the certificates search). | Optional |
| page | The page to return. (Applies for the certificates search). Default is 1. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Censys.Search.autonomous_system.asn | Number | The autonomous system number (ASN) that the host is in. |
| Censys.Search.autonomous_system.bgp_prefix | String | The autonomous system's CIDR. |
| Censys.Search.autonomous_system.country_code | String | he autonomous system's two-letter, ISO 3166-1 alpha-2 country code (e.g., US, CN, GB, RU). |
| Censys.Search.autonomous_system.description | String | A brief description of the autonomous system. |
| Censys.Search.autonomous_system.name | String | The friendly name of the autonomous system. |
| Censys.Search.ip | String | The host’s IP address. |
| Censys.Search.location.continent | String | The continent of the host's detected location (e.g., North America, Europe, Asia, South America, Africa, Oceania). |
| Censys.Search.location.coordinates | Unknown | The estimated coordinates of the host's detected location. |
| Censys.Search.location.country | String | The country of the host's detected location. |
| Censys.Search.location.country_code | String | The two-letter ISO 3166-1 alpha-2 country code of the host's detected location (e.g., US, CN, GB, RU). |
| Censys.Search.location.registered_country | String | The host's registered country. |
| Censys.Search.location.registered_country_code | String | The registered country's two-letter, ISO 3166-1 alpha-2 country code (e.g., US, CN, GB, RU). |
| Censys.Search.location.timezone | String | The IANA time zone database name of the host's detected location. |
| Censys.Search.services.port | Number | The port the service was reached at. |
| Censys.Search.services.service_name | String | The name of the service on the port. This is typically the L7 protocol (e.g., “HTTP”); however, in the case that a more specific HTTP-based protocol is found (e.g., Kubernetes or Prometheus), the field will show that. This field indicates where protocol-specific data will be located. |
| Censys.Search.services.transport_protocol | String | The transport protocol (known in OSI model as L4) used to contact this service (i.e., UDP or TCP). |
| Censys.Search.parsed.fingerprint_sha256 | String | SHA 256 fingerprint. |
| Censys.Search.parsed.issuer.organization | Unknown | The organization name. |
| Censys.Search.parsed.names | Unknown | Common names for the entity. |
| Censys.Search.parsed.subject_dn | String | Distinguished name of the entity that the certificate belongs to. |
| Censys.Search.parsed.validity.end | Date | Timestamp of when the certificate expires. Time zone is UTC. |
| Censys.Search.parsed.validity.start | Date | Timestamp of when the certificate is first valid. Time zone is UTC. |
| Censys.Search.parsed.issuer_dn | String | Distinguished name of the entity that has signed and issued the certificate. |
Command Example#
!cen-search index=certificates query="parsed.issuer.common_name: \"Let's Encrypt\"" limit=1
Context Example#
Human Readable Output#
Search results for query "parsed.issuer.common_name: "Let's Encrypt""#
Issuer Issuer DN Names SHA256 Subject DN Validity organization: Let's Encrypt C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 *.45g4rg43g4fr3434g.gb.net,
45g4rg43g4fr3434g.gb.netf3ade17dffcadd9532aeb2514f10d66e22941393725aa65366ac286df9b442ec CN=45g4rg43g4fr3434g.gb.net start: 2020-10-12T14:46:11Z
end: 2021-01-10T14:46:11Z
ip#
Runs reputation on IPs.
Base Command#
ip
Input#
| Argument Name | Description | Required |
|---|---|---|
| ip | IP address or a list of IP addresses to assess reputation. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Censys.IP.services.port | Number | The port number associated with the service running on the IP. |
| Censys.IP.services.transport_protocol | String | The transport protocol used by the service running on the IP. |
| Censys.IP.services.protocol | String | The name of the service running on the IP. |
| Censys.IP.services.cert | String | The SSL/TLS certificate associated with the service running on the IP. |
| Censys.IP.labels | String | Labels associated with the IP address (with premium access only). |
| Censys.IP.dns.reverse_dns.names | String | Reverse DNS names associated with the IP address. |
| Censys.IP.autonomous_system.country_code | String | The country code of the autonomous system associated with the IP address. |
| Censys.IP.autonomous_system.description | String | Description of the autonomous system associated with the IP address. |
| Censys.IP.autonomous_system.name | String | Name of the autonomous system associated with the IP address. |
| Censys.IP.autonomous_system.bgp_prefix | String | BGP prefix of the autonomous system associated with the IP address. |
| Censys.IP.autonomous_system.asn | Number | Autonomous System Number (ASN) of the autonomous system associated with the IP address. |
| Censys.IP.ip | String | The IP address. |
| Censys.IP.location.country | String | Country name of the location associated with the IP address. |
| Censys.IP.location.timezone | String | Time zone of the location associated with the IP address. |
| Censys.IP.location.province | String | Province name of the location associated with the IP address. |
| Censys.IP.location.coordinates.latitude | Number | Latitude coordinate of the location associated with the IP address. |
| Censys.IP.location.coordinates.longitude | Number | Longitude coordinate of the location associated with the IP address. |
| Censys.IP.location.continent | String | Continent name of the location associated with the IP address. |
| Censys.IP.location.postal_code | String | Postal code of the location associated with the IP address. |
| Censys.IP.location.city | String | City name of the location associated with the IP address. |
| Censys.IP.location.country_code | String | Country code of the location associated with the IP address. |
| IP.Address | unknown | The IP address. |
| IP.ASN | unknown | The IP ASN. |
| IP.Geo.Country | unknown | The IP country. |
| IP.Geo.Location | unknown | The IP location. |
| IP.UpdatedDate | unknown | The IP last update |
| IP.Port | unknown | The IP port |
| DBotScore.Indicator | unknown | The indicator that was tested. |
| DBotScore.Type | unknown | The indicator type. |
| DBotScore.Score | Number | The actual score. |
| DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
| DBotScore.Vendor | unknown | The vendor used to calculate the score. |
Command example#
!ip ip=8.8.8.8,8.8.4.4
Context Example#
Human Readable Output#
censys results for IP: 8.8.8.8#
Asn Geo Country Geo Latitude Geo Longitude Ip Port Reputation Updated 15169 United States 37.4056 -122.0775 8.8.8.8 53, 443, 443, 853 0 2024-04-14T08:03:28.159Z