Censys Search Language
Use the Censys Search Language (CSL) in both Legacy Search and Attack Surface Management (ASM). While both products use CSL, the the available fields in each differ.
- In Legacy Search, you use CSL to search across the map of the entire Internet when targeting host records or billions of certificate records when targeting certificates.
- In ASM, you use CSL to search across web assets that been attributed to your organization via Censys' exhaustive attribution process.
- Asset record data fields in ASM are prepended by the type of asset they have been identified on. For example,
host.dns.names
is present on host assets andweb_entity.port
is present on web entity assets.
- Asset record data fields in ASM are prepended by the type of asset they have been identified on. For example,
Queries written in the Censys Search Language provide criteria that a record must meet to be returned as a hit.
Full-text searches
You can search for a word or phrase. When you do not specify a field, the search is conducted across all text-based fields. The search terms are not case-sensitive.
Examples
Field-value pairs
Search structured fields for a value stored there. Fields reflect the nested structure of the host schema using dot notation to separate keys. To search for an exact match, use the equals sign (=
).
Note
You can see all of the data fields available in the Legacy Search datasets on the data definitions page in the web app.
Legacy Search examples
ASM examples
Query description | Legacy Search query |
---|---|
Find all assets that have an HTTP Server header with the word Apache in it | host.services.http.response.headers.value: Apache or web_entity.instances.http.response.headers.value: Apache |
Find all assets whose HTTP Server header contains exactly the word Apache | host.services.http.response.headers.value=Apache or web_entity.instances.http.response.headers.value=Apache |
Wildcard searches
Wildcard symbols are helpful for finding records where you know some part of a value but not all.
Use the asterisk symbol (*
) to substitute zero or more unknown characters.
Use the question mark (?
) to substitute for exactly 1 unknown character.
Legacy Search example
For example, a query that specifies a value of email does not return records where the value is e-mail, because it matches on tokenized words.
Query description | Legacy Search query | Run query in Legacy Search |
---|---|---|
Search for variations of email using the * wildcard: | services.http.response.headers: (key: server and value: e_mail) | Try it |
ASM example
Query description | Legacy Search query | Run query in Legacy Search |
---|---|---|
Search for server header values that start with hero using the wildcard: | host.services: (http.response.headers.key: server and http.response.headers.value.headers: hero*)or web_entity.instances: (http.response.headers.key: server and http.response.headers.value.headers: hero*) | Try it |
Boolean logic
Censys allows the binary operators or, and, and not, as well as parentheses, to combine search criteria.
OR
Use or to provide multiple options that a record can match to be considered a hit.
Legacy Search examples
Query description | Legacy Search query | Run query in Legacy Search |
---|---|---|
Return all hosts located either in the United States or Canada: |
| |
You can also use a set to shorten what can be a long Return all hosts whose country is among this set of countries in the Americas: |
|
ASM examples
Query description | Legacy Search query | Run query in Legacy Search |
---|---|---|
Return all hosts located either in the United States or Canada: | location.country: Canada or location.country: “United States” | |
Return all hosts whose country is among this set of countries in the Americas: | location.country: {Canada, Chile, Honduras, Mexico, “United States”, Uruguay} | Try it |
AND
Use and
to make a search more specific by providing multiple criteria that must match for a host to be considered a hit.
Legacy Search example
Query description | Legacy Search query | Run in query in Legacy Search |
---|---|---|
Return hosts with port 443 open (with any service type) and an HTTP service (on any port): | services.port: 443 and services.service_name: HTTP | Try it |
Note
Unless specified, search criteria apply to a host or certificate as a whole. This query returns hosts with any service on port 443 and HTTP on any port.
ASM example
Query description | Legacy Search query | Run in query in Legacy Search |
---|---|---|
Return hosts with port 443 open (with any service type) and an HTTP service (on any port): | host.services.port: 443 and services.service_name: HTTP | Try it |
Note:
The query returns hosts with any service on port 443 and HTTP on any port. To apply the search criteria to single service, see the Nested Searches syntax section below.
NOT
Use not
to exclude hosts with certain characteristics.
Legacy Search example
Query description | Legacy Search query | Run query in Legacy Search |
---|---|---|
Find hosts running SSH on a non-standard port (for example, neither 22 nor 2222): | services: (service_name: SSH and not port: {22, 2222}) | Try it |
ASM examples
Query description | Legacy Search query | Run query in Legacy Search |
---|---|---|
Find hosts running SSH on a non-standard port (for example, neither 22 nor 2222): | host.services: (service_name: SSH and not port: {22, 2222}) | Try it |
Find any web entities with an instance using an HTTP protocol other than 1.1: | web_entity.instances.http.response.protocol: * and not web_entity.instances.http.response.protocol: "http/1.1" |
Nested fields
Use nested query syntax to apply multiple search criteria to a single object within a list of like objects instead of to the entity as a whole.
To apply all of the search criteria to a single object within an array, use parentheses to group those nested fields after the colon separating the nested field name.
Examples of nested fields include:
Hosts | Certificates |
---|---|
|
|
Legacy Search examples
The services
record on a host can contain any number of services. If you want certain criteria to all be true of a single service on a host, nest field/value pairs inside parentheses following the services
field name.
Query description | Legacy Search query | Run query in Legacy Search |
---|---|---|
Return hosts that are running an HTTP service on port 8888: | services: (port: 8888 and service_name: HTTP) | Try it |
Return host services with both a Cisco iOS operating system and OpenResty application software: | services: (software.uniform_resource_identifier: 'cpe:2.3.a:openresty:*:*:*:*:*:* and services: (software.uniform_resource_identifier: 'cpe:2.3.o:cisco:*:*:*:*:*:* | Try it |
ASM examples
Query description | Legacy Search query | Run query in Legacy Search |
---|---|---|
Find hosts that are running a plain HTTP service on port 443: | host.services: (port: 443 and extended_service_name: HTTP | Try it |
Find web entities with at least 1 instance with both the word username and password in the body: | web_entity.instances: (http.response.body: "username" and http.response.body: "password") | Try it |
Time ranges and values
Use relative time variables to reference relevant time frames in your queries.
Time | Command |
---|---|
Today | [now/d TO now] |
Within the last 4 hours | [now-4h TO now] |
Within the last week | [now-1w TO now] |
Within the last month | [now-1M TO now] |
Within the last year | [now-1y TO now] |
Within the next 12 hours | [now TO now+12h] |
Within the next 24 hours | [now TO now+1d] |
Within the next week | [now TO now+1w] |
Within the next month | [now TO now+1M] |
Legacy Search examples
Query description | Legacy Search query |
---|---|
Search for hosts Updated in the Past Hour: | last_updated_at: [now-1h TO *] |
Search for CVEs with a KEV added in the Past 6 Months: | cves.kev.date_added: [now-6M TO *] |
Search for certificates that were Revoked in the past 8 hours: | revocation.crl.revocation_time: [now-8h TO *] |
Censys ASM examples
Query description | Legacy Search query |
---|---|
Search for a domain that is expiring tomorrow: | domain.expiration_date: [* TO now+1d] |
Search for a risk discovered in the past 3 days: | Risks.discovered_at: [now-3d TO *] |
Search for assets discovered today: | association_date: [now/d TO *] |
Ranges
Ranges allow you to define a spectrum within which a value may fall for the host to be considered a hit. This is useful for numerical values such as dates, version numbers, and IP addresses.
Legacy Search examples
Query description | Legacy Search query | Run query in Legacy Search |
---|---|---|
Search for certificates submitted to the Cloudflare Nimbus 2023 CT log within a date range, not including the first value given: |
| |
Search for online hosts in a non-standard IP address range, including the first and last values given: |
| |
Censys also supports CIDR notation of IP ranges: Search for online hosts whose IPv4 address falls between 35.180.0.0 and 35.180.255.255: |
|
ASM examples
Query description | Legacy Search Query | Run query in Legacy Search |
---|---|---|
Search for certificates whose expiration date is within a (recently passed) date range, not including the first value given: | certificate.parsed.validity_period.not_after: {2022-08-01 to 2022-08-23] | Try it |
Search for hosts in a non-standard IP range, including the first and last values given: | host.ip: [216.189.94.1 to 216.189.94.32] | |
Search for hosts in use within a network assigned to your organization (use the Seed page to look up these CIDRs): | host.ip: 8.8.0.0/16 |
Double quotes
Double quotes search for a phrase instead of a single word. You must wrap whitespace-separated words in double quotes when searching for the phrase to be evaluated as a whole. Searches that specify a phrase for a field value are invalid without the double quotes.
Legacy Search example
Query description | Legacy Search query | Run query in Legacy Search |
---|---|---|
Search for hosts and virtual hosts with an HTML title: | services.http.response.html_title: "your dashboard" | Try it |
ASM example
Query description | Legacy Search query | Run query in Legacy Search |
---|---|---|
Search for hosts with an HTML title: | host.services.http.response.html_title: "your dashboard" | Try it |
Escape sequences and reserved characters
Escape sequences
The following sequences are interpreted as Unicode escape sequences. Use them to search for special characters in commonly used places, such as service banners and HTTP bodies.
For example, services.banner:"Hello\nWorld"
interprets the \n
as a newline instead of as an escaped n
.
Escape sequence | Character represented |
---|---|
\a | Alert |
\b | Backspace |
\e | Escape character |
\f | Formfeed/page break |
\n | Newline |
\r | Carriage return |
\t | Horizontal tab |
\v | Vertical tab |
Reserved characters
The following characters are interpreted as control characters unless they are escaped (preceded) with a backslash or encapsulated in a string that is surrounded by backticks.
= > < ) } ] " * ? : \ /
Use backticks around the entire URI to escape all the asterisks within.
Legacy Search example
Query description | Run query in Legacy Search |
---|---|
Search for hosts running Microsoft IIS version 10.0: | Try it |
ASM example
Query description | Run query in Legacy Search |
---|---|
Search for hosts running Microsoft IIS version 10.0: | Try it |
Updated 20 days ago