Documentation
Start typing to search…

Live Discovery and Event History

Live Discovery, Live Rescan, and Event History help you validate infrastructure and track changes over time. This trio of features allow you to run fresh scans on specific ports or services, view side-by-side comparisons of scan results, and detect changes in behavior, configuration, or known vulnerabilities.

You can also explore historical relationships between hosts, web properties, and certificates to better understand infrastructure changes over time and support detection efforts based on historical attributes.

You can use these tools to:

  • Quickly validate persistence
  • Identify new threats and vulnerabilities
  • Track evolving infrastructure
  • Monitor added and removed services

These features help you understand how infrastructure evolves between scans, without waiting for Censys' scheduled scans.

📘

Note

Live Discovery is only available to users with access to the Threat Hunting Module. Additionally, Threat Hunting users have access to at least one month of host history.

Live Rescan is available to all users on the Core and Enterprise plans.

Live Discovery

Use Live Discovery to investigate whether a service is present on a specific port of a host. Live Discovery is useful when you are searching for specific actor behavior on a host or group of hosts, but the most recent scan of the host does not show a service on your port of interest.

  1. On a host record, go to Live Discovery section in the upper-right corner. Click Live Discovery to open the scan field.

  2. Enter a port in to the field and click Scan. The scan may take a few minutes to complete.

  3. After the scan completes, a message will appear in the notification box. Click View difference in results to see what changed after the scan.

  4. You are redirected to the Event History tab. If a service was detected on your target port, information about it will appear in the right table on the diff page. In the screenshot below, a new service was found on this host on port 12345 using Live Discovery.

    The rescan comparison view displays a side-by-side snapshot of the service's previous and current state and details the data that changed between scans. The left table shows the older scan. If the new scan did not detect a service on the target port, then the right table in the diff chart will be empty.

Event History

The Event History tab on a host allow you to compare two events on a host from different points in time.

A timeline of scans on the host that shows observed ports, protocols, and timestamps. View historical hostprovides a snapshot of the services, software, and vulnerabilities detected during that scan. This can assist analysts to track how a host’s exposure changed over time and investigate emerging threats.

Compare two events

The Event History tab allows you to compare two events.

  1. Check the two hosts you want to compare.
  2. Click Compare.

The compare view shows a side-by-side snapshot of two scans on the same host. The left column shows the older scan. These snapshots assist you to identify what changed over time.

  • Red text indicates values present in the older scan that could be removed or modified in the newer instance.
  • Green text indicates new data that wasn’t present before.
  • Unchanged fields are displayed in neutral text for context.

This screenshot is clipped for brevity.

Updated 4 days ago