Censys Rescan

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

This playbook will be triggered manually. This will fetch associated IPs from the incident and make API calls to retrieve Censys data and enrich the incident with additional information as Incident comment.

Attribute	Value
Type	Playbook
Solution	Censys
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Transformations	Ingestion API	Lake-Only
`CensysRescanHost_CL` 🔶	?	✓	?
`CensysRescanWebProperty_CL` 🔶	?	✓	?
`SecurityIncident`	✓	✗	✓

Logic App Connectors

This playbook uses 5 Logic App connectors / built-in actions:

Connector / Action	Type	Connections	Actions
`azureloganalyticsdatacollector`	Managed	1	2
`azuremonitorlogs`	Managed	1	1
`keyvault`	Managed	1	1
`http`	Built-in	0	3
`workflow`	Built-in	0	1

Action parameters (URLs, paths, function IDs)

`azureloganalyticsdatacollector` (Managed)

Action	Method	Endpoint	Other
Ingest_Censys_Rescan_Host_Data	post	`/api/logs`	—
Ingest_Censys_Recan_Web_Property_Data	post	`/api/logs`	—

`azuremonitorlogs` (Managed)

Action	Method	Endpoint	Other
Run_Query_And_List_Related_Entities	post	`/queryData`	—

`keyvault` (Managed)

Action	Method	Endpoint	Other
Get_Censys_API_Token	get	`/secrets/@{encodeURIComponent('Censys-Access-Token')}/value`	—

`http` (Built-in)

Action	Method	Endpoint	Other
HTTP_Call_to_Fetch_Scan_Status	GET	`@{variables('base_url')}/@{variables('api_version')}/global/scans/@{body('Parse_JSON_for_Rescan_Response')?['result']?['tracked_scan_id']}`	—
HTTP_Post_Request_For_Rescan	POST	`@{variables('base_url')}/@{variables('api_version')}/global/scans/rescan`	—
HTTP_Call_to_Fetch_IOC_data	GET	`@variables('url_for_ioc_data')`	—

`workflow` (Built-in)

Action	Method	Endpoint	Other
CensysIncidentEnrichment	—	—	workflowId=`[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/',trim(parameters('IncidentEnrichmentPlaybookName')))]` triggerName=`When_an_HTTP_request_is_received`

Additional Documentation

📄 Source: CensysRescan/readme.md

Summary

Prerequisites

Deploy the CensysAddIncidentComment playbook first and note its name.
Obtain a Censys API token and store it in Azure Key Vault as a secret named 'Censys-Access-Token'.
Obtain the Censys Organization ID from your Censys platform account.
Create or identify an Azure Key Vault and note its name and Tenant ID.
Ensure you have a Log Analytics Workspace configured for Microsoft Sentinel.
Deploy the Censys Rescan workbook to use this playbook.

Deployment Instructions

To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard.
Fill in the required parameters:
- PlaybookName: Enter the playbook name here (default: CensysRescan).
- IncidentEnrichmentPlaybookName: Name of the deployed CensysAddIncidentComment playbook.
- OrganizationID: Your Censys Organization ID from the Censys platform account settings.
- WorkspaceName: Name of the Log Analytics Workspace where Microsoft Sentinel is deployed.
- KeyVaultName: Name of the Azure Key Vault where the Censys API token is stored.
- TenantId: Azure AD Tenant ID where the Key Vault is located.

Post-Deployment Instructions

a. Authorize connections

Once deployment is complete, authorize each connection.

Go to your logic app → API connections → Select Key Vault connection resource.
Go to General → edit API connection.
Click Authorize.
Sign in.
Click Save.
Repeat steps for Azure Monitor Logs and Log Analytics Data Collector connections.

b. Add Access policy in Keyvault

Add access policy for the playbook's managed identity to read secrets from Key Vault.

Go to logic app → your logic app → identity → System assigned Managed identity and copy Object (principal) ID.
Go to keyvaults → your keyvault → Access policies → create.
Select Get and List permissions for Secrets. Click next.
In the principal section, search by copied object ID. Click next.
Click review + create.