Host Enrichment
Censys has developed a new API called "Enrichment API". This is a new, lightweight API purpose-built to help security teams operationalize external internet data without the friction of traditional credit consumption.
It provides a curated, fixed subset of host IPv4/IPv6 data designed specifically for high-volume, automated lookups in SOC environments, such as SIEM and SOAR integrations.
Key Benefits
- Operationalize at Scale: Perform automated lookups without consuming your standard API credit balance.
- Optimized for Triage: Receive a standardized, compact response that minimizes ingestion costs and speeds up the triage process for analysts.
- Seamless Integration: The API uses the same authentication as your existing Censys tools, making it a drop-in replacement for automated workflows.
Usage and Limits
- Daily Capacity: The plan includes a limit of 20,000 lookups per day.
- Availability: This feature is available to customers on the Censys Core plan.
Enrichment API vs getHost API
We have designed the Enrichment API to complement, not replace, the getHost API. Think of this as a “quick glance” versus a “deep dive”.
Use the Enrichment API for:
- Automated SOAR playbook triage, high-volume alert enrichment, and determining whether an IP address warrants further investigation. These calls WON'T consume credits from your standard allocation.
- Use the Standard
getHostAPI (credit based) for manual analyst investigations, deep-dive incident response where the full host profile is required, and complex querying. This WILL consume your allotted credits.
Data Fields
The Enrichment API returns a fixed set of fields:
- The returned fields are not customizable and the response does not show any historical data. Data returned contains the latest scan data only.
- The response is intentionally compact to minimize SIEM ingestion costs and speed up triage.
| Field Category | Field Name |
|---|---|
| Timestamp | Last Scan Timestamp |
| Geo Location | host.location.city host.location.country host.location.country_code |
| WhoIs | host.whois.network.handle host.whois.network.name host.whois.organization.name host.whois.organization.address |
| Autonomous System (ASN) | host.autonomous_system.asn host.autonomous_system.description host.autonomous_system.bgp_prefix host.autonomous_system.name host.autonomous_system.country_code |
| Forward DNS | host.dns.names |
| Reverse DNS | host.dns.reverse_dns.names |
| Services | host.service_count host.services.port host.services.protocol |
| Labels | host.services.labels.value host.labels.value |
| Reputation Score | host.reputation.score host.reputation.score_level host.reputation.evidence.category host.reputation.evidence.evidence_score |
| Threat | host.services.threats.type host.services.threats.tactic host.services.threats.id host.services.threats.name |
| 3rd Party - GreyNoise | host.greynoise.actor host.greynoise.classification host.greynoise.tags.name host.greynoise.last_observed_time |
| 3rd Party - IPinfo (Network) | host.network.hosting host.network.mobile host.network.satellite |
| 3rd Party - IPinfo (Privacy) | host.privacy.anonymous host.privacy.tor host.privacy.proxy host.privacy.relay host.privacy.vpn |
| 3rd Party - Mallory | ip-enrichment service |
Updated about 1 hour ago