Censys Search Language

Use the Censys Search Language (CSL) in both Legacy Search and Attack Surface Management (ASM). While both products use CSL, the the available fields in each differ.

  • In Legacy Search, you use CSL to search across the map of the entire Internet when targeting host records or billions of certificate records when targeting certificates.
  • In ASM, you use CSL to search across web assets that been attributed to your organization via Censys' exhaustive attribution process.
    • Asset record data fields in ASM are prepended by the type of asset they have been identified on. For example, host.dns.names is present on host assets and web_entity.port is present on web entity assets.

Queries written in the Censys Search Language provide criteria that a record must meet to be returned as a hit.

Full-text searches

You can search for a word or phrase. When you do not specify a field, the search is conducted across all text-based fields. The search terms are not case-sensitive.

Examples

Query descriptionLegacy Search queryRun query in Legacy Search
Query for hosts with any field that contains the term “hello”:helloTry it
Query for multi-word phrase "hello world":"hello world"Try it

Field-value pairs

Search structured fields for a value stored there. Fields reflect the nested structure of the host schema using dot notation to separate keys. To search for an exact match, use the equals sign (=).

📘

Note

You can see all of the data fields available in the Legacy Search datasets on the data definitions page in the web app.

Legacy Search examples

Query descriptionLegacy Search queryRun query in Legacy Search
Find all devices with a software product with the word Windows in itservices.software.product: WindowsTry it
Find all devices with a software product that is an exact match to Windowsservices.software.product=WindowsTry it

ASM examples

Query descriptionLegacy Search query
Find all assets that have an HTTP Server header with the word Apache in ithost.services.http.response.headers.value: Apache or web_entity.instances.http.response.headers.value: Apache
Find all assets whose HTTP Server header contains exactly the word Apachehost.services.http.response.headers.value=Apache or web_entity.instances.http.response.headers.value=Apache

Wildcard searches

Wildcard symbols are helpful for finding records where you know some part of a value but not all.

Use the asterisk symbol (*) to substitute zero or more unknown characters.
Use the question mark (?) to substitute for exactly 1 unknown character.

Legacy Search example

For example, a query that specifies a value of email does not return records where the value is e-mail, because it matches on tokenized words.

Query descriptionLegacy Search queryRun query in Legacy Search
Search for variations of email using the * wildcard:services.http.response.headers: (key: server and value: e_mail)Try it

ASM example

Query descriptionLegacy Search queryRun query in Legacy Search
Search for server header values that start with hero using the wildcard:host.services: (http.response.headers.key: server and http.response.headers.value.headers: hero*)or web_entity.instances: (http.response.headers.key: server and http.response.headers.value.headers: hero*)Try it

Boolean logic

Censys allows the binary operators or, and, and not, as well as parentheses, to combine search criteria.

OR

Use or to provide multiple options that a record can match to be considered a hit.

Legacy Search examples

Query description

Legacy Search query

Run query in Legacy Search

Return all hosts located either in the United States or Canada:

location.country: Canada or location.country: “United States”

Try it

You can also use a set to shorten what can be a long or statement:

Return all hosts whose country is among this set of countries in the Americas:

location.country: {Canada, Chile, Honduras, Mexico, “United States”, Uruguay}

Try it

ASM examples

Query descriptionLegacy Search queryRun query in Legacy Search
Return all hosts located either in the United States or Canada:location.country: Canada or location.country: “United States”
Return all hosts whose country is among this set of countries in the Americas:location.country: {Canada, Chile, Honduras, Mexico, “United States”, Uruguay}Try it

AND

Use and to make a search more specific by providing multiple criteria that must match for a host to be considered a hit.

Legacy Search example

Query descriptionLegacy Search queryRun in query in Legacy Search
Return hosts with port 443 open (with any service type) and an HTTP service (on any port):services.port: 443 and services.service_name: HTTPTry it

📘

Note

Unless specified, search criteria apply to a host or certificate as a whole. This query returns hosts with any service on port 443 and HTTP on any port.

ASM example

Query descriptionLegacy Search queryRun in query in Legacy Search
Return hosts with port 443 open (with any service type) and an HTTP service (on any port):host.services.port: 443 and services.service_name: HTTPTry it

📘

Note:

The query returns hosts with any service on port 443 and HTTP on any port. To apply the search criteria to single service, see the Nested Searches syntax section below.

NOT

Use not to exclude hosts with certain characteristics.

Legacy Search example

Query descriptionLegacy Search queryRun query in Legacy Search
Find hosts running SSH on a non-standard port (for example, neither 22 nor 2222):services: (service_name: SSH and not port: {22, 2222})Try it

ASM examples

Query descriptionLegacy Search queryRun query in Legacy Search
Find hosts running SSH on a non-standard port (for example, neither 22 nor 2222):host.services: (service_name: SSH and not port: {22, 2222})Try it
Find any web entities with an instance using an HTTP protocol other than 1.1:web_entity.instances.http.response.protocol: * and not web_entity.instances.http.response.protocol: "http/1.1"

Nested fields

Use nested query syntax to apply multiple search criteria to a single object within a list of like objects instead of to the entity as a whole.

To apply all of the search criteria to a single object within an array, use parentheses to group those nested fields after the colon separating the nested field name.

Examples of nested fields include:

Hosts

Certificates

  • services
  • services.software
  • services.http.response.headers
  • ct.entries

Legacy Search examples

The services record on a host can contain any number of services. If you want certain criteria to all be true of a single service on a host, nest field/value pairs inside parentheses following the services field name.

Query descriptionLegacy Search queryRun query in Legacy Search
Return hosts that are running an HTTP service on port 8888:services: (port: 8888 and service_name: HTTP)Try it
Return host services with both a Cisco iOS operating system and OpenResty application software:services: (software.uniform_resource_identifier: 'cpe:2.3.a:openresty:*:*:*:*:*:* and services: (software.uniform_resource_identifier: 'cpe:2.3.o:cisco:*:*:*:*:*:*Try it

ASM examples

Query descriptionLegacy Search queryRun query in Legacy Search
Find hosts that are running a plain HTTP service on port 443:host.services: (port: 443 and extended_service_name: HTTPTry it
Find web entities with at least 1 instance with both the word username and password in the body:web_entity.instances: (http.response.body: "username" and http.response.body: "password")Try it

Time ranges and values

Use relative time variables to reference relevant time frames in your queries.

TimeCommand
Today[now/d TO now]
Within the last 4 hours[now-4h TO now]
Within the last week[now-1w TO now]
Within the last month[now-1M TO now]
Within the last year[now-1y TO now]
Within the next 12 hours[now TO now+12h]
Within the next 24 hours[now TO now+1d]
Within the next week[now TO now+1w]
Within the next month[now TO now+1M]

Legacy Search examples

Query descriptionLegacy Search query
Search for hosts Updated in the Past Hour:last_updated_at: [now-1h TO *]
Search for CVEs with a KEV added in the Past 6 Months:cves.kev.date_added: [now-6M TO *]
Search for certificates that were Revoked in the past 8 hours:revocation.crl.revocation_time: [now-8h TO *]

Censys ASM examples

Query descriptionLegacy Search query
Search for a domain that is expiring tomorrow:domain.expiration_date: [* TO now+1d]
Search for a risk discovered in the past 3 days:Risks.discovered_at: [now-3d TO *]
Search for assets discovered today:association_date: [now/d TO *]

Ranges

Ranges allow you to define a spectrum within which a value may fall for the host to be considered a hit. This is useful for numerical values such as dates, version numbers, and IP addresses.

Legacy Search examples

Query description

Legacy Search query

Run query in Legacy Search

Search for certificates submitted to the Cloudflare Nimbus 2023 CT log within a date range, not including the first value given:

ct.entries: (key:'cloudflare_nimbus_2023' and value.added_to_ct_at: {2023-06-01 to 2023-07-10])

Try it

Search for online hosts in a non-standard IP address range, including the first and last values given:

ip: [119.167.243.56 to 119.167.243.201]

Try it

Censys also supports CIDR notation of IP ranges:

Search for online hosts whose IPv4 address falls between 35.180.0.0 and 35.180.255.255:

ip: 35.180.0.0/16]

Try it

ASM examples


Query descriptionLegacy Search QueryRun query in Legacy Search
Search for certificates whose expiration date is within a (recently passed) date range, not including the first value given:certificate.parsed.validity_period.not_after: {2022-08-01 to 2022-08-23]Try it
Search for hosts in a non-standard IP range, including the first and last values given:host.ip: [216.189.94.1 to 216.189.94.32]
Search for hosts in use within a network assigned to your organization (use the Seed page to look up these CIDRs):host.ip: 8.8.0.0/16

Double quotes

Double quotes search for a phrase instead of a single word. You must wrap whitespace-separated words in double quotes when searching for the phrase to be evaluated as a whole. Searches that specify a phrase for a field value are invalid without the double quotes.

Legacy Search example

Query descriptionLegacy Search queryRun query in Legacy Search
Search for hosts and virtual hosts with an HTML title:services.http.response.html_title: "your dashboard"Try it

ASM example

Query descriptionLegacy Search queryRun query in Legacy Search
Search for hosts with an HTML title:host.services.http.response.html_title: "your dashboard"Try it

Escape sequences and reserved characters

Escape sequences

The following sequences are interpreted as Unicode escape sequences. Use them to search for special characters in commonly used places, such as service banners and HTTP bodies.

For example, services.banner:"Hello\nWorld" interprets the \n as a newline instead of as an escaped n.

Escape sequenceCharacter represented
\aAlert
\bBackspace
\eEscape character
\fFormfeed/page break
\nNewline
\rCarriage return
\tHorizontal tab
\vVertical tab

Reserved characters

The following characters are interpreted as control characters unless they are escaped (preceded) with a backslash or encapsulated in a string that is surrounded by backticks.

= > < ) } ] " * ? : \ /

Use backticks around the entire URI to escape all the asterisks within.

Legacy Search example

Query descriptionRun query in Legacy Search
Search for hosts running Microsoft IIS version 10.0:Try it

ASM example

Query descriptionRun query in Legacy Search
Search for hosts running Microsoft IIS version 10.0:Try it