CensEye

CensEye helps you identify web assets on the internet that share a specific key-value pair with the asset you are currently viewing. It extracts data values like HTTP headers, SSH banners, and TLS certificate information, then shows how many other assets present the same value. This allows you to pivot into related infrastructure and begin building queries based on shared characteristics.

CensEye saves you time during investigations and supports the creation of queries or fingerprints to identify activity linked to specific methods, indicators, or threat actors—even those that may not have been fingerprinted or categorized already.

Once you identify related assets, you can group and monitor them using collections. Collections enable you to track threat-related infrastructure over time. Use webhooks with collections to receive alerts about new assets affiliated with a threat in near-real-time.

To use CensEye:

1. In the Platform web console, go to an asset.
2. Click the Discover Pivots tab.

3. Click Run CensEye.

4. Review the extracted key-value pairs.

   CensEye identifies key-value pairs that the asset shares with other data records. In the screenshot below, the number to the left shows how many internet-facing assets share the same attribute for the indicated field-value pair.

   This data can be used to pivot from one asset to a broader set of related infrastructure that share the same attribute. You can track patterns across assets with similar characteristics and investigate the assets to determine shared usage or intent.

5. Click 🔍 to the right of the key-value pair to execute a search.
   Using the example above, a search is executed the host.services.endpoints.http.body_hash_sha256 field-value pair.
6. CensEye returns 48 assets. Filter the data to isolate the most relevant infrastructure. In the left-hand navigation, the Threats filter shows that 3 of these assets are associated with Viper malware. At this point, you might look for other outliers such as unusual port numbers.

📘

Note

When you use CensEye on a historical host record, the key-value pairs are obtained from the historical appearance of that host and compared against current data.

Collections with CensEye

Use Collections to track changes and receive alerts about a group of related assets. This helps you to proactively monitor evolving infrastructure, for example enabling you to keep your IP blocklists current.

After you create a collection, you can create a webhook to receive trigger-based updates when new assets are added to or removed from your collection. Webhooks deliver Censys data to various applications, enabling users to monitor events and take action as needed.