Example Queries

Find hosts whose IP address is within a range, written using CIDR notation or using initial and terminal values in brackets

host.ip: 2.255.190.0/24

OR

host.ip: [2.0.0.0 to 3.0.0.0}

Try it
Try it

Find SSH services running on non-standard ports

host.services: (service_name:ssh and not port:{22, 2222})}

Try it

Find hosts that support SSLv3, TLSv1.0, and TLSv1.1

host.services.tls.versions.tls_version: {SSLv3, TLSv1_0, TLSv1_1}

Try it

Hosts and web entities with exposed API endpoints

host.dns.names: /.*api-.*/ or host.dns.reverse_dns.names: /.*api-.*/ OR host.dns.names: /.*graphql-.*/ or host.dns.reverse_dns.names: /.*graphql-.*/ or web_entity.asset_id: "*graphql*" OR web_entity.asset_id:"*api*"

Hosts with exposed hardware and a self-signed certificate

host.services: (software.part: `h` and tls.certificates.leaf_data.signature.self_signed: `true`) 

Hosts with open ports associated with common services and high or critical risks

host.services.port: {53,3389, 3306, 443, 21, 8443, 5060, 8887, 22} and host.risks.severity: {critical, high}

Find web entities that are serving one of the following HTTP applications

web_entity.instances.service_name: {Elasticsearch, Kubernetes, Prometheus}

Try it

Web entities and hosts not behind Cloudflare

((host.services.port=443 OR host.services.port=80) AND NOT host.cloud= `CloudFlare Inc`) OR ((web_entity) AND NOT web_entity.instances.cloud='CloudFlare Inc')

Find web entities that are redirecting to another location

web_entity.instances: (not port: 80 and http.response.status_code: [301 to 308])

Try it

Find web entities that are using a plain HTTP connection

web_entity.instances: (not port: 80 and extended_service_name: HTTP)

Try it

Web entities with the default landing page label

web_entity.instances.labels: "default-landing-page"

Find web entities that support SSLv3, TLSv1.0, and TLSv1.1

web_entity.instances.tls.versions.tls_version= {SSLv3, TLSv1_0, TLSv1_1}

Web entities with high-severity risks

type: WEB_ENTITY and risks.severity: 'High'

Try it

High and critical risks discovered in the past three days

risks.discovered_at:[now-3d to *] and risks.severity: {critical, high}

Identify services with executables presenting in the HTTP body

host.services.http.response.body: .exe or web_entity.instances.http.response.body: .exe

Try it

List assets with a recently detected risk

risks.discovered_at: [2023-08-20 to *]

Try it

Find potentially unknown assets with severe risks

risks.severity:{critical, high} and source:"censys scan"

Try it

Find newly discovered assets with a risk

association_date: {2023-08-20 to *} and risks: *

Try it

Find hosts presenting a self-signed certificate

host.services.tls.certificate.parsed.signature.self_signed: true or web_entity.instances.tls.certificate.parsed.signature.self_signed: true

Try it

Find hosts presenting a certificate whose trust status is revoked

host.services.tls.certificate.revoked: true or web_entity.instances.tls.certificate.revoked: true

Try it

AWS storage exposed

risks.name = `AWS Storage Bucket Exposed` and storage_bucket.risks.severity: {high, critical}