Asset Inventory Example Queries

Find untagged assets:

not tags: *

Find assets with one of a set of tags:

tags: {example, example2}

Find all assets with a useful keyword in their name:

host.name: /.*dev.*/ OR certificate.names: /.*dev.*/ OR domain.name: /.*dev.*/ OR storage_bucket.name: /.*dev.*/

Find hosts whose IP address is within a range, written using CIDR notation or using initial and terminal values in brackets:

host.ip: 162.142.125.0/24

OR

host.ip: {162.142.125.0 to 162.142.125.255]

Find hosts that are using an HTTP redirect to another location:

host.services: (http.response.headers: (key: location and value: *) and http.response.status_code: [301 to 302])

Find hosts with an HTTP service that are returning something other than a 200 Status code.

host.services: (http.response.status_code:* and not http.response.status_code: 200)

Find SSH services running on non-standard ports:

host.services: (service_name:ssh and not port:{22, 2222})

May 2022 (CVE-2022-1388): F5 BIG-IP iControl REST Vulnerability:

(host.services.http.response.html_title: "BIG-IP®- Redirect") or host.services.http.response.html_tags=`<meta name="description" content="F5 Networks Configuration Utility.">`

June 2022 (CVE-2022-26134): Confluenza Omicron Edition:

host.services:(http.response.body: `<meta name="ajs-version-number"` and http.response.headers.key: "X-Confluence-Request-Time")

Identify hosts with executables presenting in the HTTP body:

host.services.http.response.body: .exe

Assets with recently discovered risks:

risks.discovered_at: [2022-08-01 to *]

Potentially unknown assets with severe risks:

risks.severity:{critical, high} and source:"censys scan"

Find new assets with a risk:

association_date: {2022-08-01 to *} and risks: *

Find hosts presenting a self-signed certificate:

host.services.tls.certificates.leaf_data.signature.self_signed: true

Search for hosts located in data centers outside of sanctioned clouds:

host.ip: * and not host.cloud:{aws, ovh}

Search for potentially unknown hosts in major Cloud Providers:

source:"censys scan" and host.cloud: {"Amazon Aws", "Google Cloud", "Microsoft Azure", "Alibaba Cloud", "Soft Layer Technologies Inc.", "Tencent Cloud", "Digital Ocean Inc.", "Hetzner Online", "Verizon Communications Inc.", "Oracle Cloud", "Huawei Cloud Service", "US Signal", "Switch Communications Group LLC", "Internap Corporation", "Tier Point LLC", "American Internet Services", "Arvixe", "Cologix Inc.", "Confluence Networks Inc."}