Introduction to the Logbook
The Logbook is a change log of activity related to your assets. The log is sorted by timestamp, with most recent events on top.
Expand any row to see more information about the event, including a diff of the entity. Buttons linking to the asset(s) in question let you navigate to those pages quickly for further investigation.
Censys tracks and reports when changes to your attack surface take place in the following categories:
Filters
Apply filters to see events that meet specific criteria.
General
General filters allow you to narrow the scope of logbook events in the list by including or excluding events that have characteristics or top-level asset identifiers in common.
-
Date Range - A time period during which event(s) occurred. By default, all events from all time are shown.
Figure 2. Filter logbook events by dateNoteTimestamps for logbook events reflect when the event was entered into the logbook. Please read the definition of the event carefully to understand how the timestamp applies. -
IP Address/CIDR - An IP address or block of IP addresses in your attack surface.
Figure 3. Filter logbook events by IP address or CIDR block -
Domain - An apex domain you own.
Figure 4. Filter logbook events by domain name -
Certificate - The SHA-256 fingerprint of a TLS certificate you own.
Figure 5. Filter logbook events by certificate fingerprint -
Tags - Any tags you have applied to this asset.
Figure 6. Filter logbook events by asset tag -
Included Log Types - Types of events that you can hide from the view or restrict the view to.
Certificate
Use the Certificate filter to see when certificates were associated to your organization (Associate), or when they were removed (Disassociate).
When might a Certificate Associate event occur?
Examples:
-
Your TLS Certificate Issuer issues you a new certificate (perhaps your old one expired) and it was discovered in our scan.
-
In following the connections between Internet objects, Censys finds an existing certificate of yours that’s never been seen before and adds it to your asset collection.
When might a Certificate Disassociate event occur?
-
This event is only generated if there are no longer any connections between a certificate and other assets belonging to your organization.
Vulnerability (CVE)
Using the Vulnerability filter, you can restrict the display to only vulnerability event types, and then filter those events by CVE-ID, CVSS score, or when a vulnerability was added to a host (Add), removed from a host (Remove), or when the CVE-ID itself was updated (Change).
When might a Vulnerability Add event occur?
Examples:
-
A new host running a certain software with a CVE-ID was attributed to your organization. (In this case, other preceding events such as Host Associate and Software Add events would accompany the Vulnerability Add event.)
-
A host belonging to your organization reports a new software package or version, and a CVE-ID is found for that version (In this case, other preceding events such as Software Remove, Vulnerability Remove and Software Add events would accompany the Vulnerability Add event).
When might a Vulnerability Remove event occur?
Examples:
-
A host that was running a certain software with a CVE-ID was disassociated with your organization (In this case, other preceding events such as Host Disassociate and Software Remove events would accompany the Vulnerability Remove event).
Host/Cert Association
With the Host/Cert Association filter, you can see when a certificate was seen on a host (Add) or not seen on a host (Remove).
When might a Host/Cert Association Add event occur?
-
A TLS certificate in your asset collection was presented for the first time during a TLS handshake with a host you own.
-
A TLS certificate not previously in your asset collection was presented for the first time during a TLS handshake with a host you own (In this case, the Certificate Associate event would precede the Host/Cert Association Add event).
When might a Host/Cert Association Remove event occur?
Examples:
-
A TLS certificate in your asset collection that was previously presented by a host you own was not presented during the most recent TLS handshake.
-
A TLS certificate was disassociated with your organization (In this case, the Certificate Disassociate event would accompany the Host/Cert Association Remove event).
-
A host was disassociated with your organization (In this case, the Host Disassociate event would accompany the Host/Cert Association Remove event).
Host
Use the Host filter to view when hosts was added (Associate) or removed from your asset collection (Disassociate).
When might a Host Associate event occur?
Examples:
-
An IP address within a CIDR you own that in previous scans was not live was found to have an open port in Censys' latest scan.
-
Your organization deployed a service in the cloud and some of your assets now point to the IP where the service is running.
When might a Host Disassociate event occur?
Examples:
-
An IP address that in previous scans was live was not found in Censys' latest scan.
-
A service that is running in the cloud was automatically shuffled to a different IP address by your cloud provider, and no connections between your other assets and that IP address were found in the latest Censys scan.
Host Risk
With the Host Risk filter, you can see when a risk was seen on a host (Add) or not seen on a host (Remove).
When might a Host Risk Add event occur?
Examples:
-
A new host is added to your organization because a connection was discovered between it and other assets, and the host has properties that Censys flags as a risk (In this case, other host-related events would accompany this event).
-
A host already associated to your organization has changed and now has properties that Censys flags as a risk.
When might a Host Risk Remove event occur?
Examples:
-
A host already associated to your organization has changed and now its properties are such that Censys no longer sees this risk.
-
A host is removed from your organization (In this case, other host-related events would accompany this event).
Modified Risk
With the Modified Risk filter, you can see when a risk’s severity was changed in the Censys ASM platform.
When might a Modified Risk event occur?
A modified risk event indicates that a team member changed the severity of a risk type in the ASM platform.
Port
Using the Port filter, you can select events that report when TCP/IP ports were added (Add) or removed (Remove) from your hosts, or select which port number-related events to include or exclude from the logbook.
When might a Port Add event occur?
Examples:
-
The latest scan of the Internet shows a previously unseen port number open on a host that is associated to you.
-
A new host with ports open is attributed to you (In this case, the Host Add event would accompany the Port Add event).
When might a Port Remove event occur?
Examples:
-
The latest scan of the Internet does not find a previously open port number on a host associated to you.
-
A host is removed from your asset collection (In this case, the Host Disassociate event would accompany the Port Remove event).
Protocol
Use the Protocol filter to select events that document when application-layer protocols such as HTTP or SMTP were detected (Add) or removed from your hosts (Remove), or choose to include or exclude events related to a particular protocol.
When might a Protocol Add event occur?
-
An open port on a host attributed to you is discovered to have a known protocol in the latest Censys scan.
-
A new host is associated to you with a known protocol used on one of its open ports (In this case the Host Associate and Port Add events would precede the Protocol Add event_).
When might a Protocol Remove event occur?
-
A previously open port/protocol pair on a host attributed to you is found to be closed in the latest Censys scan (In this case, the Port Remove event would accompany the Protocol Remove event).
Software
With the Software filter, you can select events showing when a software version was added (Add) or removed (Remove) from a host, or you can select which software-related events to include or exclude from the logbook.
When might a Software Add event occur?
-
An application was updated with the latest version of the software it’s running (In this case, the Software Add event would be preceded by a Software Remove event documenting the removal of the old software version from this host).
When might a Software Remove event occur?
Examples:
-
The port that a software was exposed on was closed (In this case, a Port Remove and Protocol Remove event would accompany the Software Remove event).
-
A host was disassociated with your organization (In this case, the Host Disassociate, Port Remove and Protocol_Remove events would precede the Software Remove event).
Domain
Apex domains are root domains in the sense that they are only subdomains of a TLD (e.g., com) or eTLD (e.g., co.uk).
These domains often identify large portions of your Internet-facing business.
With the Domain filter, you can see when a domain was added to your asset collection (Associate) or removed from your asset collection (Disassociate).
When might a Domain Associate event occur?
Examples:
-
Someone in your organization adds a domain name as a seed.
-
A domain name is attributed to your organization after being found on a certificate you own.
When might a Domain Disassociate event occur?
Examples:
-
A domain name no longer has any connections to other assets in your organization and is not attributed to you.
-
Someone in your organization excludes a domain from your asset collection.
Domain Risk
With the Domain Risk filter, you can see when a domain risks were identified (Add) or removed (Removed).
When might a Domain Expiration Date Add event occur?
-
After a domain is associated to your organization, the date of expiration of the domain’s registration is discovered, and that expiration is within the next 30 or 7 days (or has already passed).
Domain Expiration Date
With the Domain Expiration Date filter, you can see when a domain’s expiration date was added to a domain you own (Add) or removed (Remove) and filter by the time period in which the expiration will occur.
When might a Domain Expiration Date Add event occur?
-
After a domain is associated to your organization, the date of expiration of the domain’s registration is discovered.
When might a Domain Expiration Date Change event occur?
-
Your organization renews the registration of your domain name.
When might a Domain Expiration Date Remove event occur?
-
This event is only generated if the domain is disassociated with your asset collection (In this case, there would be an accompanying Domain Disassociate event).
Mail Exchange Server
With the Domain Mail Exchange Server filter, you can see when a mail exchange was added to (Add) or removed from (Remove) a domain you own.
When might a Mail Exchange Server Add event occur?
Example:
-
Mail exchange server records for a domain you own are discovered in the DNS.
When might a Mail Exchange Server Remove event occur?
Examples:
-
Previously seen mail exchange server records for a domain you own are not found in the DNS.
-
The domain is removed from your organization’s asset collection (In this case, the Domain Disassociate event would accompany this event).
Name Server
With the Domain Name Server filter, you can see when a name server was added to (Add) or removed from (Remove) a domain you own.
When might a Name Server Add event occur?
Examples:
-
A new name server record for a domain you own are found in the DNS.
-
A domain is added from your organization’s asset collection and its name server records are discovered (In this case, the Domain Associate event would accompany this event).
When might a Name Server Remove event occur?
Examples:
-
Previously seen name server records for a domain you own are not found in the DNS.
-
The domain is removed from your organization’s asset collection (In this case, the Domain Disassociate event would accompany this event).
Domain Registrar
With the Domain Registrar filter, you can see when registrar information was added to (Add) or removed from (Remove) a domain you own.
When might a Domain Registrar Add event occur?
Examples:
-
A new registration record for a domain you own are found.
-
A domain is added from your organization’s asset collection and its registration records are discovered (In this case, the Domain Associate event would accompany this event).
When might a Domain Registrar Remove event occur?
Examples:
-
Previously seen registration records for a domain you own are no longer found.
-
A domain is removed from your organization’s asset collection (In this case, the Domain Disassociate event would accompany this event).
Subdomain
Use the subdomain filter to find events related to the addition (Add) or removal (Remove) of subdomains to an apex domain. You can also search for events related to a specific subdomain name.
If you wish to see only the subdomain events related to an apex domain, use this filter in conjunction with the Domain name filter in the General filter section.
Storage Bucket
With the Storage Bucket filter, you can see when registrar information was added to (Add) or removed from (Remove) a domain you own.
When might a Storage Bucket Add event occur?
Examples:
-
A new bucket is added to ASM directly from a connected CSP account.
-
A storage bucket with names and/or keywords related to your organization is discovered.
When might a Storage Bucket Remove event occur?
Examples:
-
A storage bucket is no longer present in your connected CSP account.
More Information
To access the logbook via API, see our API documentation.
Comments
0 comments
Article is closed for comments.