Censys Query Language
Use Censys Query Language (CenQL) to write queries and search your data in the Censys Platform.
A complete list of data fields available for host, web property, and certificate records in the Platform is available in the in-app data definitions.
There are two primary ways to search for hosts, web properties, and certificates: full-text queries and field queries.
Full-text search
A full-text search searches across the entire record for a value, such as “example.com.” It matches any record that contains the search term in any field.
Note
Full-text queries only target the
cert.names,cert.parsed.issuer_dn, andcert.parsed.subject_dnfields for certificate records.
Field-value pairs
CenQL queries can target field-value pairs, like host.location.city="Ann Arbor".
- Field queries target a specific field on a record and can specify the comparison behavior. The syntax for targeting a field-value pair is
<field name> <operator> <value>. - The table below outlines the field-value pair operators that are supported.
Field-value pairs and full-text searches can be combined with logical operators like and, or, and not. You can use comparison operators to target ranges of values.
Field-value pair operators
The following operators are supported for field queries:
Operator | Description | Example query | Hit | Miss |
|---|---|---|---|---|
| A case-insensitive search that uses tokenization (see below). Records that contain the indicated value or values will be matched by the query. |
|
|
|
| Matches if the field is exactly equal to the value. For string fields, this performs a case-sensitive exact match. |
|
| anything else |
| Matches if the field’s value matches against the given regex. Regex matches against any part of the field that matches the regex input. You may include your own Note that in CenQL, special characters must be double-escaped with two backslashes. For example, \w+ and . |
|
|
|
| Matches by comparing the field’s value to the specified value. Range operators work for string, numbers, dates, and IP addresses. |
|
|
|
| Matches if the field contains any non-zero value |
|
| "" |
Tokenization
The : operator in CenQL uses tokenization to split text into searchable "chunks." Instead of scanning the entire data field as one large block of text, the Platform breaks it into smaller tokens.
Tokenization examples
The two examples below describe how tokenization works in the Censys Platform.
- If you query
web.endpoints.http.body: "click save", our Platform locates all services running HTTP and scans the body. It tokenizes"click"and"save"separately and ensures that they are in close proximity to each other in the body. Optimized tokenization allows Censys to handle large amounts of data, including HTML bodies, titles, and metadata, without slowing down performance. - Similarly, when a user searches for
access=denied, the query undergoes the same tokenization process, convertingaccess=deniedintoaccess denied. When the Platform checks the document, it verifies whether the query's tokens appear in the correct order. Since the document containsaccess denied(even though it was originally written asaccess+denied), the search still matches.
Boolean operators and parentheses
You can combine and modify search criteria using and, or, not, and parentheses. Boolean operators are case-insensitive.
and
andUse and to specify multiple criteria that an entire record must match in order to be considered a hit. The query host.services.port=8880 and host.services.protocol=HTTP will return hosts that have port 8880 open (with any service running on it) and an HTTP service running on any port.
| Query description and link | Query syntax |
|---|---|
| Hosts that have port 8880 open (with any service running on it) and an HTTP service running on any port | host.services.port=8880 and host.services.protocol=HTTP |
Note that the query syntax provided in the table above does not require that returned matches are on the same service, just that a host has both of the queried field values present anywhere on the record. The query syntax above could return host records that use port 8880 and are not HTTP. To require that multiple search criteria are present in a single nested object, you need to use nested fields.
or
orThe or operator can be used to provide multiple criteria that a record can match in order to be considered a hit.
| Query description and link | Query syntax |
|---|---|
| Hosts that have either port 21 open (with any service running on it) or an FTP service running on any port | host.services.port=21 or host.services.protocol=FTP |
not
notThe not operator is used to provide criteria that a host must not match in order to be considered a hit.
| Query description and link | Query syntax |
|---|---|
| Host that are not located in the United States | not host.location.country="United States" |
Parentheses and brackets
Use parentheses to include multiple field value pairs or nested fields in a single search query. Brackets can be used to target specific values.
| Query description and link | Query syntax |
|---|---|
| Hosts that are not located in the United States or India | not (host.location.country="United States" or host.location.country="India") |
| Another version of the query above, but using brackets to exclude a range of values | not (host.location.country: {"United States", "India"}) |
| Hosts with services running on only ports 80 and 443 | host.services.port: 80 and host.services.port: 443 and not host.services:(not port:{80, 443}) |
Ranges
Ranges for values like numbers and dates can be defined using the comparison operators >, <, >=, and <=. Integer and date values must be wrapped in quotes or backticks.
You can also use relative time variables with comparison operators.
| Query description and link | Query syntax |
|---|---|
| Certificates added to Censys between October 20 and October 30, 2024, including October 20 and 30 | cert.added_at>="2024-10-20" and cert.added_at<="2024-10-30" |
| Hosts with services scanned in the last 24 hours | host.services.scan_time > "now-1d" |
| Web endpoints with status codes between 200 and 204, including 200 and 204 | web.endpoints: (http.status_code >= "200" and http.status_code <= "204") |
Nested fields
Use nested fields to apply multiple search criteria to a single object within a list of like objects instead of to the entity as a whole.
To apply all of the search criteria to a single object within an array, use parentheses to group those nested fields after the colon separating the nested field name.
| Query description and link | Query syntax |
|---|---|
| Hosts running SSH on port 22 | host.services: (port = "22" and protocol = "SSH") |
| Hosts running version 2.4.62 of HTTPD (Apache HTTP Server) | host.services.software: (product = "httpd" and version = "2.4.62") |
| Hosts running services with an nginx server header | host.services.endpoints.http.headers: (key = "Server" and value = "nginx") |
| Hosts running nginx with "Welcome to nginx!" in the HTML title | host.services: (software.product = "nginx" and endpoints.http.html_title = "Welcome to nginx!") |
Unicode escape sequences
The following sequences will be interpreted as unicode escape sequences to allow users to search for these special characters where they are commonly found, such as service banners and HTTP bodies.
| Escape sequence | Character represented |
|---|---|
\a | Alert |
\b | Backspace |
\e | Escape character |
\f | Formfeed / page break |
\n | Newline |
\r | Carriage return |
\t | Horizontal tab |
\v | Vertical tab |
Regular expression (regex)
CenQL supports using regular expression (regex) in advanced queries. Documentation for using regex in CenQL is available here.
Supported values
CenQL supports the following value types:
Type | Description | Examples |
|---|---|---|
Number | A floating point number |
|
Boolean | True or False |
|
IP Address | IPv4 and IPv6 values |
|
| Classless Inter-Domain Routing (CIDR) | A range of IP addresses. CIDR notation must be wrapped in quotation marks or backticks. |
|
String | Quoted strings may contain white-space, keywords, escapes, and certain special characters. Quoted strings may use single ' or double " quotes. A string that is quoted in backticks do not need to escape any character except a backtick. Unquoted strings are limited to those that match the regex |
|
Date | An RFC 3339 formatted timestamp. Date values can also be input into queries in epoch millisecond format. |
|
Updated 18 days ago