About the Logbook in Attack Surface Management
Censys tracks and reports when changes take place in your attack surface in the following categories:
-
Certificate
-
Vulnerability (CVE)
-
Host/Cert Association
-
Host
-
Host Risk
-
Modified Risk
-
Port
-
Protocol
-
Software
-
Domain
-
Domain Risk
-
Mail Exchange Server
-
Name Server
-
Domain Registrar
-
Subdomain
-
Storage Bucket
The Logbook is a change log of activity related to your assets. The log is sorted by timestamp, with most recent events on top.
You can expand any row to see more information about the event, including a diff of the entity. Buttons linking to the asset(s) let you navigate to those pages for further investigation.
Apply filters to see events that meet specific criteria.
General filters allow you to narrow the scope of logbook events in the list by including or excluding events that have characteristics or top-level asset identifiers in common.
-
Date Range: A time period during which event(s) occurred. By default, all events from all time are shown.
Note
Timestamps for logbook events reflect when the event was entered into the logbook. Read the definition of the event carefully to understand how the timestamp applies.
-
IP Address/CIDR: An IP address or block of IP addresses in your attack surface.
-
Domain: An apex domain you own.
-
Certificate: The SHA-256 fingerprint of a TLS certificate you own.
-
Tags: Any tags applied to this asset.
-
Included Log Types: Types of events that you can hide from the view or restrict the view to.
Use the Certificate filter to see when certificates were associated to your organization (Associate), or when they were removed (Disassociate).
Examples:
-
Your TLS Certificate Issuer issues you a new certificate (perhaps your old one expired) and it was discovered in our scan.
-
In following the connections between Internet objects, Censys global scanning engine finds an existing certificate of yours that it has never seen before and adds it to your asset collection.
Using the Vulnerability filter, you can restrict the view to only vulnerability event types, and then filter those events by CVE-ID, CVSS score, or when a vulnerability was added to a host (Add), removed from a host (Remove), or when the CVE-ID itself was updated (Change).
Examples:
-
A new host running a certain software with a CVE-ID was attributed to your organization. In this case, other preceding events such as Host Associate and Software Add events accompany the Vulnerability Add event.
-
A host belonging to your organization reports a new software package or version, and a CVE-ID is found for that version. In this case, other preceding events such as Software Remove, Vulnerability Remove and Software Add events accompany the Vulnerability Add event.
With the Host/Cert Association filter, you can see when a certificate was seen on a host (Add) or not seen on a host (Remove).
-
A TLS certificate in your asset collection was presented for the first time during a TLS handshake with a host you own.
-
A TLS certificate not previously in your asset collection was presented for the first time during a TLS handshake with a host you own. In this case, the Certificate Associate event precedes the Host/Cert Association Add event.
Examples:
-
A TLS certificate in your asset collection that was previously presented by a host you own was not presented during the most recent TLS handshake.
-
A TLS certificate was disassociated with your organization. In this case, the Certificate Disassociate event accompanies the Host/Cert Association Remove event.
-
A host was disassociated with your organization. In this case, the Host Disassociate event accompanies the Host/Cert Association Remove event.
Use the Host filter to view when hosts was added (Associate) or removed from your asset collection (Disassociate).
Examples:
-
An IP address within a CIDR you own that in previous scans was not live was found to have an open port in the latest Censys scan.
-
Your organization deployed a service in the cloud and some of your assets now point to the IP where the service is running.
Examples:
-
An IP address that in previous scans was live was not found in the latest Censys global scanning engine.
-
A service that is running in the cloud was automatically shuffled to a different IP address by your cloud provider. No connections between your other assets and that IP address were found in the latest Censys global scanning engine.
With the Host Risk filter, you can see when a risk was seen on a host (Add) or not seen on a host (Remove).
Examples:
-
A new host is added to your organization because a connection was discovered between it and other assets, and the host has properties that Censys flags as a risk. In this case, other host-related events accompany this event.
-
A host already associated to your organization changed and now has properties that Censys flags as a risk.
Using the Port filter, you can select events that report when TCP/IP ports were added (Add) or removed (Remove) from your hosts, or select which port number-related events to include or exclude from the logbook.
Use the Protocol filter to select events that document when application-layer protocols such as HTTP or SMTP were detected (Add) or removed from your hosts (Remove), or choose to include or exclude events related to a particular protocol.
-
An open port on a host attributed to you is discovered to have a known protocol in the latest Censys scan.
-
A new host is associated to you with a known protocol used on one of its open ports. In this case the Host Associate and Port Add events precede the Protocol Add event_.
With the Software filter, you can select events showing when a software version was added (Add) or removed (Remove) from a host, or you can select which software-related events to include or exclude from the logbook.
Examples:
-
The port that a software was exposed on was closed. In this case, a Port Remove and Protocol Remove event accompany the Software Remove event.
-
A host was disassociated with your organization. In this case, the Host Disassociate, Port Remove and Protocol_Remove events precede the Software Remove event.
Apex domains are root domains in the sense that they are only subdomains of a TLD (for example, com
) or eTLD (e.for example, co.uk
).
These domains often identify large portions of your Internet-facing business.
With the Domain filter, you can see when a domain was added to your asset collection (Associate) or removed from your asset collection (Disassociate).
With the Domain Risk filter, you can see when a domain risks were identified (Add) or removed (Removed).
With the Domain Expiration Date filter, you can see when a domain’s expiration date was added to a domain you own (Add) or removed (Remove) and filter by the time period in which the expiration occurs.
With the Domain Mail Exchange Server filter, you can see when a mail exchange was added to (Add) or removed from (Remove) a domain you own.
With the Domain Name Server filter, you can see when a name server was added to (Add) or removed from (Remove) a domain you own.
With the Domain Registrar filter, you can see when registrar information was added to (Add) or removed from (Remove) a domain you own.
Use the subdomain filter to find events related to the addition (Add) or removal (Remove) of subdomains to an apex domain. You can also search for events related to a specific subdomain name.
If you want to see only the subdomain events related to an apex domain, use this filter with the Domain name filter in the General filter section.
With the Storage Bucket filter, you can see when registrar information was added to (Add) or removed from (Remove) a domain you own.
To access the logbook via API, see our API documentation.
Comments
0 comments
Article is closed for comments.