Documentation
Start typing to search…

CensEye

CensEye helps you identify web assets on the internet that share a specific key-value pair with the asset you are currently viewing. It extracts data values then shows how many other assets present the same value. This allows you to pivot into related infrastructure and begin building queries based on shared characteristics.

CensEye saves you time during investigations and supports the creation of queries or fingerprints to identify activity linked to specific methods, indicators, or threat actors—even those that may not have been fingerprinted or categorized already.

Once you identify related assets, you can group and monitor them using collections. Collections enable you to track threat-related infrastructure over time. Use webhooks with collections to receive alerts about new assets affiliated with a threat in near-real-time.

Video walkthrough

Use CensEye in the Platform web UI

To use CensEye:

  1. In the Platform web console, go to an asset.
  2. Click the Discover Pivots tab.

  1. Click Run CensEye.

  2. Review the extracted key-value pairs.

    CensEye identifies key-value pairs that the asset shares with other data records. In the screenshot below, the number to the left shows how many internet-facing assets share the same attribute for the indicated field-value pair.

    This data can be used to pivot from one asset to a broader set of related infrastructure that share the same attribute. You can track patterns across assets with similar characteristics and investigate the assets to determine shared usage or intent.

  1. Click 🔍 to the right of the key-value pair to execute a search.
    Using the example above, a search is executed the host.services.endpoints.http.body_hash_sha256 field-value pair.
  2. The search returned 48 assets. Filter the data to isolate the most relevant infrastructure. In the left-hand navigation, the Threats filter shows that 3 of these assets are associated with Viper malware. At this point, you might look for other outliers such as unusual port numbers.

📘

Note

When you use CensEye on a historical host record, the key-value pairs are obtained from the historical appearance of that host and compared against current data.

Default pivot fields

CensEye searches across the following fields for assets with matching values.

Host fields
  • host.services.banner_hex
  • host.services.cert.fingerprint_sha256
  • host.services.cert.parsed.issuer_dn
  • host.services.cert.parsed.issuer.common_name
  • host.services.cert.parsed.issuer.locality
  • host.services.cert.parsed.subject_dn
  • host.services.cert.parsed.subject.organization
  • host.services.cert.parsed.subject.organizational_unit
  • host.services.cwmp.server
  • host.services.endpoints.cobalt_strike.x64.http_post.uri
  • host.services.endpoints.cobalt_strike.x64.public_key
  • host.services.endpoints.cobalt_strike.x64.user_agent
  • host.services.endpoints.cobalt_strike.x64.watermark
  • host.services.endpoints.cobalt_strike.x86.http_post.uri
  • host.services.endpoints.cobalt_strike.x86.public_key
  • host.services.endpoints.cobalt_strike.x86.user_agent
  • host.services.endpoints.cobalt_strike.x86.watermark
  • host.services.endpoints.http.body_hash_sha256
  • host.services.endpoints.http.favicons.hash_md5
  • host.services.jarm.fingerprint
  • host.services.pc_anywhere.name
  • host.services.pptp.hostname
  • host.services.smb.group_name
  • host.services.ssh.endpoint_id.raw
  • host.services.ssh.server_host_key.fingerprint_sha256
  • host.services.winrm.ntlm_info.netbios_computer_name
Web property fields
  • web.cert.fingerprint_sha256
  • web.cert.parsed.issuer_dn
  • web.cert.parsed.issuer.common_name
  • web.cert.parsed.issuer.locality
  • web.cert.parsed.subject_dn
  • web.cert.parsed.subject.organization
  • web.cert.parsed.subject.organizational_unit
  • web.endpoints.banner_hash_sha256
  • web.endpoints.cobalt_strike.x64.http_post.uri
  • web.endpoints.cobalt_strike.x64.public_key
  • web.endpoints.cobalt_strike.x64.user_agent
  • web.endpoints.cobalt_strike.x64.watermark
  • web.endpoints.cobalt_strike.x86.http_post.uri
  • web.endpoints.cobalt_strike.x86.public_key
  • web.endpoints.cobalt_strike.x86.user_agent
  • web.endpoints.cobalt_strike.x86.watermark
  • web.endpoints.http.body_hash_sha256
  • web.endpoints.http.favicons.hash_md5
  • web.jarm.fingerprint
Certificate fields
  • cert.parsed.subject_dn
  • cert.parsed.issuer_dn
  • cert.parsed.issuer.common_name
  • cert.parsed.subject.organization
  • cert.parsed.subject.organizational_unit
  • cert.parsed.issuer.locality

Updated 4 days ago