Example ASM Queries
Use these example queries to explore your ASM inventory. Build your own queries using Censys Search Language (CSL) syntax.
General queries
| Query description | Query syntax | Run query in ASM |
|---|---|---|
| Find assets with risk | risks: * | Try it |
| List assets with a tag | tags: {example, example2} | Try it |
| Find all assets with a useful keyword in their name | web_entity.name: /.*dev.*/ OR certificate.names: /.*dev.*/ OR domain.name: /.*dev.*/ OR storage_bucket.name: /.*dev.*/ | Try it |
| Find assets discovered by Censys | source: "Censys Found Seed" or source: "Censys Scan" | Try it |
Host queries
| Query description | Query syntax | Run query in ASM |
|---|---|---|
| Find hosts whose IP address is within a range, written using CIDR notation or using initial and terminal values in brackets |
OR
| Try it Try it |
| Find SSH services running on non-standard ports | host.services: (service_name:ssh and not port:{22, 2222})} | Try it |
| Find hosts that support SSLv3, TLSv1.0, and TLSv1.1 | host.services.tls.versions.tls_version: {SSLv3, TLSv1_0, TLSv1_1} | Try it |
| Hosts and web entities with exposed API endpoints | | Try it |
| Hosts with exposed hardware and a self-signed certificate | | Try it |
| Hosts with open ports associated with common services and high or critical risks | | Try it |
Web entity queries
| Query description | Query syntax | Run query in ASM |
|---|---|---|
| Find web entities that are serving one of the following HTTP applications | web_entity.instances.service_name: {Elasticsearch, Kubernetes, Prometheus} | Try it |
| Web entities and hosts not behind Cloudflare | | Try it |
| Find web entities that are redirecting to another location | web_entity.instances: (not port: 80 and http.response.status_code: [301 to 308]) | Try it |
| Find web entities that are using a plain HTTP connection | web_entity.instances: (not port: 80 and extended_service_name: HTTP) | Try it |
| Web entities with the default landing page label | web_entity.instances.labels: "default-landing-page" | Try it |
| Find web entities that support SSLv3, TLSv1.0, and TLSv1.1 | web_entity.instances.tls.versions.tls_version= {SSLv3, TLSv1_0, TLSv1_1} | Try it |
Vulnerability and risk queries
| Query description | Query syntax | Run query in ASM |
|---|---|---|
| Web entities with high-severity risks | type: WEB_ENTITY and risks.severity: 'High' | Try it |
| High and critical risks discovered in the past three days | risks.discovered_at:[now-3d to *] and risks.severity: {critical, high} | Try it |
| Identify services with executables presenting in the HTTP body | host.services.http.response.body: .exe or web_entity.instances.http.response.body: .exe | Try it |
| List assets with a recently detected risk | risks.discovered_at: [2023-08-20 to *] | Try it |
| Find potentially unknown assets with severe risks | risks.severity:{critical, high} and source:"censys scan" | Try it |
| Find newly discovered assets with a risk | association_date: {2023-08-20 to *} and risks: * | Try it |
| Find hosts presenting a self-signed certificate | host.services.tls.certificate.parsed.signature.self_signed: true or web_entity.instances.tls.certificate.parsed.signature.self_signed: true | Try it |
| Find hosts presenting a certificate whose trust status is revoked | host.services.tls.certificate.revoked: true or web_entity.instances.tls.certificate.revoked: true | Try it |
| AWS storage exposed | | Try it |
Potential shadow cloud
| Query description | Query syntax | Run query in ASM |
|---|---|---|
| Search for hosts located in data centers outside of your sanctioned clouds | host.ip: * and not host.cloud:{aws, ovh} | Try it |
| Search for potentially unknown hosts in major Cloud Providers | source:"censys scan" and host.cloud: {"Amazon Aws", "Google Cloud", "Microsoft Azure", "Alibaba Cloud", "Soft Layer Technologies Inc.", "Tencent Cloud", "Digital Ocean Inc.", "Hetzner Online", "Verizon Communications Inc.", "Oracle Cloud", "Huawei Cloud Service", "US Signal", "Switch Communications Group LLC", "Internap Corporation", "Tier Point LLC", "American Internet Services", "Arvixe", "Cologix Inc.", "Confluence Networks Inc."} | Try it |
