Package Documentation

Storm Package: synapse-censys

The following Commands are available from this package. This documentation is generated for version 5.1.0 of the package.

Storm Commands

This package implements the following Storm Commands.

censys.apiinfo

Display Censys API info for the API key.


Usage: censys.apiinfo [options]

Options:

  --help                      : Display the command usage.

censys.certs.enrich

Ingest and parse the full cert from the Censys API.

If an inbound node does not pivot to a hash:sha256 it will be skipped.

Examples:

  // Enrich a file:bytes node and yield the crypto:x509:cert node
  file:bytes#myfile | censys.certs.enrich --yield

  // Enrich a crypto:x509:cert node
  crypto:x509:cert#mycert | censys.certs.enrich


Usage: censys.certs.enrich [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --yield                     : Yield the newly created nodes.
  --time <time>               : Get historical information about a host at a specific time.

censys.certs.search

Search for certs using the Censys V2 Search Language.

NOTE - This command will also create an it:exec:query node to represent the
       query syntax and link resulting nodes to it via -(found)> edges.

Examples:

  // Run a full text search and yield a minimal crypto:x509:cert node
  censys.certs.search "vertex.link" --yield

  // Pipe results to enrich to ingest the full cert
  censys.certs.search "vertex.link" --yield | censys.certs.enrich


Usage: censys.certs.search [options] <query>

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size.
  --yield                     : Yield the newly created nodes.
  --servers                   : Yield inet:server nodes when the --yield option is specified.
  --virtual <virtual>         : Specify if virtual hosts should be included in search results. (default: None, choices:
                                include, only)

Arguments:

  <query>                     : The query string.

censys.certs.subdomains

Discover subdomains for an FQDN using the Censys cert parsed names field.

Examples:

  // Yield disocvered inet:fqdn subdomains
  [ inet:fqdn=vertex.link ] | censys.certs.subdomains --yield


Usage: censys.certs.subdomains [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size.
  --yield                     : Yield the newly created nodes.
  --servers                   : Yield inet:server nodes when the --yield option is specified.

censys.hosts.domain

Full text search hosts by an FQDN using the Censys API.

Examples:

  // Yield the IPv4 node
  [ inet:fqdn=vertex.link ] | censys.hosts.domain --yield

  // Pipe results to enrich to parse full host records
  [ inet:fqdn=vertex.link ] | censys.hosts.domain --yield | censys.hosts.enrich

  // Yield created inet:server nodes instead of inet:ipv4/inet:ipv6
  [ inet:fqdn=vertex.link ] | censys.hosts.domain --yield --servers


Usage: censys.hosts.domain [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size.
  --yield                     : Yield the newly created nodes.
  --servers                   : Yield inet:server nodes when the --yield option is specified.

censys.hosts.enrich

Enrich an IP node using the Censys API to get host data.

Examples:

  // Enrich an IPv4 and yield inet:flow nodes
  inet:ipv4=1.1.1.1 | censys.hosts.enrich --yield

  // Enrich an IPv4 with historical data
  inet:ipv4=1.1.1.1 | censys.hosts.enrich --time "2021-01-01 15:00"


Usage: censys.hosts.enrich [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --yield                     : Yield the newly created nodes.
  --time <time>               : Get historical information about a host at a specific time.

censys.hosts.history

Ingest historical events about an IP address.

NOTE: The `--details` flag is only used when a "service_observed", "service_added_to_host", or
  "service_enriched" event is encountered. This flag will cause an extra host lookup to happen
  to get detailed host information at the time of the event. Be aware this flag may cause a
  lot of additional queries - recommend using only with a very small time window
  (`--start <time>` and `--end <time>`).

Examples:

  // Get all history about an IP address
  [ inet:ipv4=23.23.240.248 ] | censys.hosts.history --yield

  // Get history about an IP address from Jan 2022 to Dec 2022
  [ inet:ipv4=23.23.240.248 ] | censys.hosts.history --start 20220101 --end 20231231


Usage: censys.hosts.history [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --yield                     : Yield the newly created nodes.
  --start <start>             : Specify the starting datetime. (default: None)
  --end <end>                 : Specify the ending datetime. (default: None)
  --details                   : Perform the extra host lookup to get event details.

censys.hosts.names

Ingest DNS names for an IP address.

Examples:

  // Get all known names for an IP address
  [ inet:ipv4=23.23.240.248 ] | censys.hosts.names --yield


Usage: censys.hosts.names [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --yield                     : Yield the newly created nodes.

censys.hosts.search

Search for hosts using the Censys V2 Search Language.

NOTE - This command will also create an it:exec:query node to represent the
       query syntax and link resulting nodes to it via -(found)> edges.

Examples:

  // Run a full text search and yield the IPv4 node
  censys.hosts.search "vertex.link" --yield

  // Pipe results to enrich to parse full host records
  censys.hosts.search "vertex.link" --yield | censys.hosts.enrich

  // Yield created inet:server nodes instead of inet:ipv4/inet:ipv6
  censys.hosts.search "vertex.link" --yield --servers


Usage: censys.hosts.search [options] <query>

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size.
  --yield                     : Yield the newly created nodes.
  --servers                   : Yield inet:server nodes when the --yield option is specified.
  --virtual <virtual>         : Specify if virtual hosts should be included in search results. (default: None, choices:
                                include, only)

Arguments:

  <query>                     : The query string.

censys.setup.apikey

Set the Censys API key.


Usage: censys.setup.apikey [options] <apiid> <secret>

Options:

  --help                      : Display the command usage.
  --self                      : Set the key as a user variable. If not used, the key is set globally.

Arguments:

  <apiid>                     : The Censys API ID string.
  <secret>                    : The Censys API secret string.

Storm Modules

This package does not export any Storm APIs.