Documentation
Start typing to search…

Censys for Splunk Platform Integration

The Censys for Splunk Platform integration adds the ability to automatically or manually enrich IPs, web properties, and certificates in Splunk with Censys Platform data. It also adds actions to initiate a Censys scan of a host or web property and retrieve event history for an IP address. Additionally, it adds a Censys SOC dashboard that shows all Censys actions executed using the app.

This guide walks through how to set up and use the Censys for Splunk Platform application.

This image shows part of the output from running the Censys Enrichment action for an IP address in the Splunk Platform web app.

Prerequisites

  • An active Splunk ES deployment.
  • A Splunk ES user account with admin permissions.
  • Your Censys Platform organization ID.
    • To obtain your organization ID:

      1. Open the Platform web console and ensure that your organization account is selected. Go to Settings > Account Management > Personal Access Tokens.

      2. The ID for your organization is shown in the "Current Organization" box. Click Copy to copy it to your clipboard.

  • A Censys Platform Personal Access Token (PAT). Instructions on how to create and manage PATs are available in the API documentation.

Installation and configuration

  1. Access your Splunk Platform dashboard as a user with admin permissions. Go to Apps > Find More Apps. Search for "censys".
  2. In the card for Censys for Splunk Platform, select Install. Follow the prompts to install the app.
  3. In the top left navigation bar, select Apps > Censys for Splunk Platform.
  4. On the Configuration tab, click Add.
  5. In the window, enter a name for your Censys account configuration. Then enter your organization ID and your PAT.
  6. Click Add.

The Censys for Splunk Platform app is now ready to use.

Censys for Splunk Platform actions

The Censys for Splunk Platform app adds the following actions.

Censys Enrichment

Use this action to enrich a host, web property, or certificate with Censys data. The data returned depends on your organization's license tier. You can run this action from within the app menu and on notable events and alerts.

To enrich a host, you must enter its IP address. To enrich a web property, you must enter its hostname and port. You may include a timestamp for hosts or web properties to retrieve data for that asset at a specific time.

To enrich a certificate, you must enter its SHA-256 hash.

Censys Rescan

Use this action to rescan a host service or a web property.

To rescan a host service, you must enter its IP address, port number, the protocol, and the transport protocol.

To rescan a web property, you must enter its hostname and port number.

Censys Host History

Use this action to retrieve the event history for a host.

You must enter an IP address and a start time and end time to run this action.

Automatic enrichment

You can enable automatic enrichment for IPs, web properties, and certificates in Splunk notable events. This enrichment utilizes three saved searches:

  • censys_notable_index_certificate_enrichment for certificate enrichment.
  • censys_notable_index_host_enrichment for host enrichment.
  • censys_notable_index_web_property_enrichment for web property enrichment.

To enable automatic enrichment:

  1. Go to Apps > Censys for Splunk Platform > Configuration > Enable ES Finding Enrichment.
  2. Check the box for Enable ES Finding Enrichment.
  3. In the Censys Account dropdown, select your Censys account configuration.
  4. In the Frequency dropdown, select whether you want the saved searches for automatic enrichment to run every 30 minutes or 60 minutes.
  5. Click Save. This will enable all three saved searches.

Configure saved searches for automatic enrichment

To modify the saved searches for automatic enrichment or disable one of the saved searches:

  1. Go to Settings > Knowledge > Searches, reports, and alerts.
  2. Next to the name for a saved search, click Edit.
    • To disable a saved search entirely, click Disable.
    • To edit the query for a saved search, click Edit Search and modify the query syntax in the Search field. Click Save when you are done.

Censys for Splunk Platform SOC dashboard

The dashboard included with the Splunk Platform app displays a count of events enriched with Censys data manually and automatically. It is useful for auditing and examining usage history.

To access the dashboard, go to Apps > Censys for Splunk Platform > Dashboards > Censys SOC Dashboard. If you have configured your app to use multiple Censys accounts, use the Censys Account dropdown to select the account you want to view information for.


Updated about 2 hours ago