Censys Internet Intelligence Platform FAQs
This article collects and answers some frequently-asked questions about the Censys Internet Intelligence Platform (IIP).
Does IIP use the same domain-specific language as Censys Search 2.0?
No. IIP uses a new, easier-to-use language called Censys Query Language. You can learn more about CenQL here.
What is the advantage or use of web property assets?
Censys has historically scanned hosts with HTTP services running on them. There are several limitations with this approach:
- It is difficult to extract information from multiple HTTP endpoints (such as /wp-admin and /login)
- There is a high barrier to developing new HTTP-based scanners, like Cobalt Strike, Fortigate, ElasticSearch, Wordpress, and so on.
- Users of Search 2.0 struggled with virtual hosts. It is unclear when they should search hosts versus virtual hosts.
Web properties address these concerns. Web properties:
- Support data from multiple HTTP endpoints.
- Reduce the complexity of developing and deploying HTTP-based scanners.
- Make searching for web services feel like using a web browser.
Learn more about the differences between host and web property records.
How do web properties differ from host services?
- Web properties offer insight into HTTP services beyond layer 7 while abstracting away HTTP protocol semantics.
- Web properties are not tied to a specific IP. They use DNS to scan data residing on a name.
- Web properties support deep scan information for HTTP-based scanners.
Learn more about the differences between host and web property records.
When should I search for web properties instead of a host service?
Search web properties when:
- You want results that include hostnames.
- You are targeting software that runs on top of HTTP such as wordpress, pprof, kubernetes, elasticsearch, and so on.
- You are targeting software that services HTTP like apache or nginx.
- You need HTTP body information.
- You need data from endpoints other than /.
Do not use web properties when:
- You want results that include IP addresses.
- You are searching for DNS data, whois data, geolocation data, or routing data.
- You are searching for hosts serving HTTP as well as non-HTTP protocols.
Learn more about the differences between host and web property records.
Where did HTTP body information on hosts go?
It moved to web.services
.
Where are the labels from Search 2.0 in the IIP dataset?
In the Search 2.0 dataset, labels are used for multiple purposes, ranging from indicating software manufacturers to describing records using descriptors like “network.device” or “login-page.”
There are fewer label values in IIP than in Search 2.0. This is partially because “labels” in Search 2.0 that were actually unstructured software, hardware, or operating system data have been moved to the appropriate component fields (e.g. jquery, bootstrap) in IIP.
The table below lists a few of the labels available in IIP:
Label name | Description |
IPV6 | Entity identified as a IPv6 host |
login-page | Entity has an HTTP service that appears to host a login page |
open-dir | Web Server with a exposed directory listing |
suspicious-open-dir | Web Server with Suspicious Open Directory |
How can I perform relative time search in IIP?
Read this article to learn how to use relative time in IIP.
Does IIP show the certificate chain for certificate records anywhere?
The certificate chain is shown in host.services.tls.presented_chain
.
Where is service.banner_hex in IIP?
This information will be added to the IIP dataset in Q1 2025.