Censys Query Language
Use Censys Query Language (CenQL) to write queries and search across data in the Censys Platform.
There are two primary ways to search across host, web property, and certificate data: full-text queries and field-value queries. You can also use the Query Assistant in the Platform web UI to generate valid CenQL queries using natural language input.
NoteYou can directly look up a host or certificate by entering its IP address or SHA-256 hash, respectively, in the Platform search bar.
Full-text queries
A full-text search searches across the entire record for a value, such as "example.com". It matches any record that contains the search term in any field.
Full-text queries only target the cert.names, cert.parsed.issuer_dn, and cert.parsed.subject_dn fields for certificate records.
Field-value queries
CenQL queries can target field-value pairs, like host.location.city="Ann Arbor". A complete list of data fields available for host, web property, and certificate records in the Platform is available in the in-app data definitions.
- Field queries target a specific field on a record and can specify the comparison behavior. The syntax for targeting a field-value pair is
<field name> <operator> <value>. - The table below outlines the field-value pair operators that are supported.
Field-value pairs and full-text searches can be combined with logical operators like and, or, and not. You can use comparison operators to target ranges of values.
Field-value pair operators
The following operators are supported for field queries:
| Operator | Description | Example query | Hit | Miss |
|---|---|---|---|---|
: | A case-insensitive search that uses tokenization (see below). Records that contain the indicated value or values will be matched by the query. | field: "hello" | Hello World | Hi World |
= | Matches if the field is exactly equal to the value. For string fields, this performs a case-sensitive exact match. | field= "hello" | hello | anything else |
=~ | Matches if the field’s value matches against the given regex. Regex matches against any part of the field that matches the regex input. You may include your own | | Hello World | World Hello |
<, >, <=, >= | Matches by comparing the field’s value to the specified value. Range operators work for string, numbers, dates, and IP addresses. | field > 10 | 20 | 9 |
:* | Matches if the field contains any non-zero value | field: * | hello | "" |
Tokenization
The : operator in CenQL uses tokenization to split text into searchable "chunks." Instead of scanning the entire data field as one large block of text, the Platform breaks it into smaller tokens.
Tokenization examples
The two examples below describe how tokenization works for hosts and web properties in the Censys Platform.
- If you run the query
web.endpoints.http.body: "click save", the Platform locates all services running HTTP and scans the body. It tokenizes "click" and "save" separately and ensures that they are in close proximity to each other in the body. Optimized tokenization allows Censys to handle large amounts of data, including HTML bodies, titles, and metadata, without slowing down performance. - Similarly, when a user searches for
web.endpoints.http.body: "access=denied, the query undergoes the same tokenization process, convertingaccess=deniedinto access denied and will match on that phrase. When the Platform checks a document, it verifies that the query's tokens appear in the correct order.
Tokenization and certificate data
Tokenization via the : operator works differently for certificate data in the Platform.
All *.common_name and cert.names fields utilize a subdomain analyzer. This method would extract the tokens abcdefg-1234567.example.domain.com,example.domain.com, and domain.com from cert.parsed.subject.common_name: "abcdefg-1234567.example.domain.com".
The only way to search for matches based on a component of a string that would be tokenized when using : is to use regex. For example, you could run:
cert.parsed.subject.common_name=~`^abcdefg-1234567`This would return any certificates with common names that begin with abcdefg-1234567.
Aliased fields
Some fields are grouped into aliases to make it easier to search across multiple fields at once. Aliases can be used in the Platform web UI or API.
The table below lists aliases and their fields.
| Alias | Fields included |
|---|---|
banner | host.services.bannerhost.services.endpoints.bannerweb.endpoints.banner |
cpe | host.hardware.cpehost.hardware.components.cpehost.services.hardware.components.cpehost.services.hardware.cpehost.services.software.components.cpehost.services.software.cpehost.operating_system.components.cpehost.operating_system.cpehost.services.operating_systems.components.cpehost.services.operating_systems.cpeweb.operating_systems.components.cpeweb.operating_systems.cpeweb.hardware.cpeweb.hardware.components.cpeweb.software.cpeweb.software.components.cpe |
sha256 | web.endpoints.banner_hash_sha256web.endpoints.http.body_hash_sha256web.endpoints.http.favicons.hash_sha256host.services.endpoints.http.body_hash_sha256host.services.endpoints.http.favicons.hash_sha256host.services.endpoints.banner_hash_sha256host.services.banner_hash_sha256cert.fingerprint_sha256host.services.cert.fingerprint_sha256web.cert.fingerprint_sha256 |
labels | host.labels.valuehost.services.labels.valueweb.labels.valuecert.labels |
product | host.hardware.components.producthost.hardware.producthost.services.hardware.components.producthost.services.hardware.producthost.services.software.components.producthost.services.software.producthost.operating_system.components.producthost.operating_system.producthost.services.operating_systems.components.producthost.services.operating_systems.productweb.operating_systems.components.productweb.operating_systems.productweb.hardware.productweb.hardware.components.productweb.software.components.productweb.software.product |
vendor | host.hardware.components.vendorhost.hardware.vendorhost.services.hardware.components.vendorhost.services.hardware.vendorhost.services.software.components.vendorhost.services.software.vendorhost.operating_system.components.vendorhost.operating_system.vendorhost.services.operating_systems.vendorhost.services.operating_systems.components.vendorweb.hardware.components.vendorweb.hardware.vendorweb.software.vendorweb.software.components.vendorweb.operating_systems.vendorweb.operating_systems.components.vendor |
vulns | host.services.vulns.idweb.vulns.id |
vuln_score | web.vulns.metrics.cvss_v31.scoreweb.vulns.metrics.cvss_v40.scoreweb.vulns.metrics.cvss_v30.scorehost.services.vulns.metrics.cvss_v30.scorehost.services.vulns.metrics.cvss_v31.scorehost.services.vulns.metrics.cvss_v40.score |
threats | host.services.threats.name web.threats.name |
screenshots | host.services.screenshots.handle |
sha1 | host.services.redis.git_sha1host.services.cert.fingerprint_sha1host.services.endpoints.http.body_hash_sha1cert.fingerprint_sha1web.cert.fingerprint_sha1 web.endpoints.http.body_hash_sha1 |
org | host.whois.organization.namehost.autonomous_system.organizationhost.services.cert.parsed.subject.organizationhost.services.cert.parsed.issuer.organizationweb.cert.parsed.subject.organizationweb.cert.parsed.issuer.organizationcert.parsed.subject.organizationcert.parsed.issuer.organization |
Alias nuances
Aliases cannot be used in queries that target nested fields. For example, host.services: (protocol: SSH and product: "OpenSSH") is invalid.
Only fields that your account has access to are included in an alias search. If you search across the product alias on a Censys Free account, then *.components fields will not be included.
You cannot create a report broken down by an alias.
twist function
twist functionUse the twist function to find field values that are similar to a specified value. This is similar to the functionality provided by dnstwist, but has a more limited scope. When targeting domains, the twist function in CenQL will run fewer permutations than dnstwist does.
Additionally, the function is less successful at finding related values to domains that are limited to two or three characters (for example, ab.com or abc.com).
The twist function is available to all users.
You can build queries that incorporate the twist function using the following structure:
twist([fieldname], `[value]`)You can use the twist function to find typosquatted domains or domains attempting to impersonate a valid domain by omitting known domains from your query. For example, the following query will find web properties that use names similar to censys.io but will omit results that include censys.io.
twist(web.hostname, `censys.io`) and not web.hostname:`censys.io`You can use a query similar to the one provided above in a collection to find existing and new suspicious domains.
Boolean operators and parentheses
You can combine and modify search criteria using and, or, not, and parentheses. Boolean operators are case-insensitive.
and
andUse and to specify multiple criteria that an entire record must match in order to be considered a hit. The query host.services.port=8880 and host.services.protocol=HTTP will return hosts that have port 8880 open (with any service running on it) and an HTTP service running on any port.
| Query description and link | Query syntax |
|---|---|
| Hosts that have port 8880 open (with any service running on it) and an HTTP service running on any port | host.services.port=8880 and host.services.protocol=HTTP |
Note that the query syntax provided in the table above does not require that returned matches are on the same service, just that a host has both of the queried field values present anywhere on the record. The query syntax above could return host records that use port 8880 and are not HTTP. To require that multiple search criteria are present in a single nested object, you need to use nested fields.
or
orThe or operator can be used to provide multiple criteria that a record can match in order to be considered a hit.
| Query description and link | Query syntax |
|---|---|
| Hosts that have either port 21 open (with any service running on it) or an FTP service running on any port | host.services.port=21 or host.services.protocol=FTP |
not
notThe not operator is used to provide criteria that a host must not match in order to be considered a hit.
| Query description and link | Query syntax |
|---|---|
| Host that are not located in the United States | not host.location.country="United States" |
Parentheses and brackets
Use parentheses to include multiple field value pairs or nested fields in a single search query. Brackets can be used to target specific values.
| Query description and link | Query syntax |
|---|---|
| Hosts that are not located in the United States or India | not (host.location.country="United States" or host.location.country="India") |
| Another version of the query above, but using brackets to exclude a range of values | not (host.location.country: {"United States", "India"}) |
| Hosts with services running on only ports 80 and 443 | host.services.port: 80 and host.services.port: 443 and not host.services:(not port:{80, 443}) |
Ranges
Ranges for values like numbers and dates can be defined using the comparison operators >, <, >=, and <=. Integer and date values must be wrapped in quotes or backticks.
You can also use relative time variables with comparison operators.
| Query description and link | Query syntax |
|---|---|
| Certificates added to Censys between October 20 and October 30, 2024, including October 20 and 30 | cert.added_at>="2024-10-20" and cert.added_at<="2024-10-30" |
| Hosts with services scanned in the last 24 hours | host.services.scan_time > "now-1d" |
| Web endpoints with status codes between 200 and 204, including 200 and 204 | web.endpoints: (http.status_code >= "200" and http.status_code <= "204") |
Nested fields
Use nested fields to apply multiple search criteria to a single object within a list of like objects instead of to the entity as a whole.
To apply all of the search criteria to a single object within an array, use parentheses to group those nested fields after the colon separating the nested field name.
| Query description and link | Query syntax |
|---|---|
| Hosts running SSH on port 22 | host.services: (port = "22" and protocol = "SSH") |
| Hosts running version 2.4.62 of HTTPD (Apache HTTP Server) | host.services.software: (product = "httpd" and version = "2.4.62") |
| Hosts running services with an nginx server header | host.services.endpoints.http.headers: (key = "Server" and value = "nginx") |
| Hosts running nginx with "Welcome to nginx!" in the HTML title | host.services: (software.product = "nginx" and endpoints.http.html_title = "Welcome to nginx!") |
Unicode escape sequences
The following sequences will be interpreted as unicode escape sequences to allow users to search for these special characters where they are commonly found, such as service banners and HTTP bodies.
| Escape sequence | Character represented |
|---|---|
\a | Alert |
\b | Backspace |
\e | Escape character |
\f | Formfeed / page break |
\n | Newline |
\r | Carriage return |
\t | Horizontal tab |
\v | Vertical tab |
Regular expression (regex)
CenQL supports using regular expression (regex) in advanced queries. Documentation for using regex in CenQL is available here.
Quick search across CIDR blocks
To quickly search for a CIDR block in the Platform web UI, you can input a range of IPs in CIDR notation in the search bar without specifying a field to target.
To combine a CIDR block search with other fields, use host.ip and the format host.ip: "cidrblock".
Field types
When you target certain data fields with CenQL queries, they must include valid values for that field type. The following table provides examples of data field types and values in the Censys datasets.
| Type | Description | Examples |
|---|---|---|
| boolean | True or false values. | TrueFalse |
| ip | IP addresses. When searching host.ip with a CIDR block, wrap it in quotes or backticks. | 1.1.1.1 |
| ip_range | A range of ip values. | 125.8.0.0/13 |
| String | Quoted strings may contain white-space, keywords, escapes, and certain special characters. Quoted strings may use single ' or double " quotes. A string that is quoted in backticks do not need to escape any character except a backtick. Unquoted strings are limited to those that match the regex | "hello world"hello.worldhello-worldhello_world |
| date | An RFC 3339 formatted timestamp. Date values can also be input into queries in epoch millisecond format. | 2024-10-25T00:00:00-04:002024-10-251746618176700 |
| unsigned_long | A numeric value that represents an unsigned 64-bit integer with a minimum value of 0 and a maximum value of 218446744073709551615. Examples include fields with human-readable numbers like host.services.port and version numbers for some named service and protocol data fields, like host.services.tacacs_plus.version. | 22 3389 |
| text | Full-text content. Examples include banner content (host.services.banner, host.services.endpoints.banner, web.endpoints.banner, and so on) and their hashes. Popular fields like host.services.software.product, host.services.software.version, and host.services.software.cpe use this type. | HTTP/1.1 404 Not Found\r\nContent-Length: 0\r\n 1.16.1 |
Updated 2 months ago