Asset Inventory Example Queries
General Queries
Find untagged assets:
not tags: *
List assets with a tag:
tags: {example, example2}
Find all assets with a useful keyword in their name:
web_entity.name: /.*dev.*/ OR certificate.names: /.*dev.*/ OR domain.name: /.*dev.*/ OR storage_bucket.name: /.*dev.*/
Host Queries
Find hosts whose IP address is within a range, written using CIDR notation or using initial and terminal values in brackets:
host.ip: 2.255.190.0/24
OR
host.ip: {162.142.125.0 to 162.142.125.255]
Find SSH services running on non-standard ports:
host.services: (service_name:ssh and not port:{22, 2222})
Web Entity Queries
Find web entities that are serving one of the following HTTP applications:
web_entity.instances.service_name: {Elasticsearch, Kubernetes, Prometheus}
Find web entities that are redirecting to another location:
web_entity.instances: (not port: 80 and http.response.status_code: [301 to 308])
Find web entities that are using a plain HTTP connection.
web_entity.instances: (not port: 80 and extended_service_name: HTTP)
Vulnerability & Risk Queries
Jan 2023 (CVE-2023-20025): Remote Code Execution Vulnerability in End-of-Life Cisco Routers:
host.services: (service_name=HTTP and tls.certificates.leaf_data.issuer.organizational_unit: {RV042G,RV016, RV042, RV082}) or host.services.http.response.headers: (key: www_authenticate and value.headers: {'="RV016"', '="RV042"', '="RV042G"', '="RV082"'})
Find hacked HTTP servers in your inventory:
host.services.http.response.html_title:"hacked by" or web_entity.instances.http.response.html_title:"hacked by"
Identify services with executables presenting in the HTTP body:
host.services.http.response.body: .exe or web_entity.instances.http.response.body: .exe
List assets with a recently detected risk:
risks.discovered_at: [2023-02-06 to *]
Find potentially unknown assets with severe risks:
risks.severity:{critical, high} and source:"censys scan"
Find newly discovered assets with a risk:
association_date: {2023-02-06 to *} and risks: *
Find hosts presenting a self-signed certificate:
host.services.tls.certificates.leaf_data.signature.self_signed: true
Potential Shadow Cloud
Search for hosts located in data centers outside of sanctioned clouds:
host.ip: * and not host.cloud:{aws, ovh}
Search for potentially unknown hosts in major Cloud Providers:
source:"censys scan" and host.cloud: {"Amazon Aws", "Google Cloud", "Microsoft Azure", "Alibaba Cloud", "Soft Layer Technologies Inc.", "Tencent Cloud", "Digital Ocean Inc.", "Hetzner Online", "Verizon Communications Inc.", "Oracle Cloud", "Huawei Cloud Service", "US Signal", "Switch Communications Group LLC", "Internap Corporation", "Tier Point LLC", "American Internet Services", "Arvixe", "Cologix Inc.", "Confluence Networks Inc."}
Comments
0 comments
Please sign in to leave a comment.