Censys Alert Rescan
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This playbook is triggered manually via HTTP request from a workbook or automation. It accepts input parameters including IOC Type (Host or Web Property), IP, Port, Protocol, Transport Protocol, Hostname, and Alert ID. The playbook initiates a rescan request to the Censys API, monitors scan status until completion, retrieves the updated asset data, and ingests the rescan results into Log Analytics. If the alert is associated with an incident, the playbook invokes the CensysIncidentEnrichment sub
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Censys |
| Source | View on GitHub |
Tables Used
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
CensysRescanHostAlert_CL 🔶 |
? | ✓ | ? |
CensysRescanWebPropertyAlert_CL 🔶 |
? | ✓ | ? |
SecurityAlert |
✓ | ✗ | ✓ |
SecurityIncident |
✓ | ✗ | ✓ |
Logic App Connectors
This playbook uses 5 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azureloganalyticsdatacollector |
Managed | 1 | 2 |
azuremonitorlogs |
Managed | 1 | 2 |
keyvault |
Managed | 1 | 1 |
http |
Built-in | 0 | 3 |
workflow |
Built-in | 0 | 1 |
Action parameters (URLs, paths, function IDs)
azureloganalyticsdatacollector (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Ingest_Censys_Rescan_Host_Data | post | /api/logs |
— |
| Ingest_Censys_Recan_Web_Property_Data | post | /api/logs |
— |
azuremonitorlogs (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Run_Query_And_List_Related_Entities | post | /queryData |
— |
| Run_Query_And_Get_Related_Incident_ARM_Id_and_Comment_Count | post | /queryData |
— |
keyvault (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_Censys_API_Token | get | /secrets/@{encodeURIComponent('Censys-Access-Token')}/value |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| HTTP_Call_to_Fetch_Scan_Status | GET | @{variables('base_url')}/@{variables('api_version')}/global/scans/@{body('Parse_JSON_for_Rescan_Response')?['result']?['tracked_scan_id']} |
— |
| HTTP_Post_Request_For_Rescan | POST | @{variables('base_url')}/@{variables('api_version')}/global/scans/rescan |
— |
| HTTP_Call_to_Fetch_IOC_data | GET | @variables('url_for_ioc_data') |
— |
workflow (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| CensysIncidentEnrichment | — | — | workflowId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',trim(parameters('IncidentEnrichmentPlaybookName')))]triggerName= When_an_HTTP_request_is_received |
Additional Documentation
📄 Source: CensysAlertRescan/readme.md
Summary
This playbook is triggered manually via HTTP request from a workbook or automation. It accepts input parameters including IOC Type (Host or Web Property), IP, Port, Protocol, Transport Protocol, Hostname, and Alert ID. The playbook initiates a rescan request to the Censys API, monitors scan status until completion, retrieves the updated asset data, and ingests the rescan results into Log Analytics. If the alert is associated with an incident, the playbook invokes the CensysIncidentEnrichment sub-playbook to add the rescan data as an incident comment.
Prerequisites
- Deploy the CensysAddIncidentComment playbook before deploying this playbook.
- Obtain a Censys API token and store it in Azure Key Vault as a secret named 'Censys-Access-Token'.
- Obtain the Censys Organization ID from your Censys platform account.
- Create or identify an Azure Key Vault and note its name and Tenant ID.
- Ensure you have a Log Analytics Workspace configured for Microsoft Sentinel.
- Configure the Censys workbook to trigger this playbook with required parameters.
Deployment Instructions
- To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
- Fill in the required parameters:
- PlaybookName: Enter the playbook name here (default: CensysAlertRescan).
- OrganizationID: Your Censys Organization ID from the Censys platform account settings.
- KeyVaultName: Name of the Azure Key Vault where the Censys API token is stored.
- TenantId: Azure AD Tenant ID where the Key Vault is located.
- WorkspaceName: Name of the Log Analytics Workspace where Microsoft Sentinel is deployed.
Post-Deployment Instructions
a. Authorize connections
Once deployment is complete, authorize each connection.
- Go to your logic app → API connections → Select keyvault connection resource.
- Go to General → edit API connection.
- Click Authorize.
- Sign in.
- Click Save.
- Repeat steps for Azure Monitor Logs and Log Analytics Data Collector connections.
b. Add Access policy in Keyvault
Add access policy for the playbook's managed identity to read secrets from Key Vault.
- Go to logic app → your logic app → identity → System assigned Managed identity and copy Object (principal) ID.
- Go to keyvaults → your keyvault → Access policies → create.
- Select Get and List permissions for Secrets. Click next.
- In the principal section, search by copied object ID. Click next.
- Click review + create.
c. Configure Workbook Integration
Configure the Censys workbook to call this playbook with the HTTP POST URL and required parameters.
- Go to Logic App → your Logic App → Logic app designer.
- Copy the HTTP POST URL from the trigger.
- Configure the Censys workbook to use this URL for triggering rescans.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊