New Censys Solution: Attack Surface Intelligence and Entity Enrichment

What Changed

New Microsoft Sentinel solution package for Censys attack surface intelligence integration. Includes six playbooks providing automated enrichment for IP addresses, domains, and certificates detected in incidents and alerts.

Playbook Capabilities

Entity Enrichment Playbooks:

CensysEntityEnrichmentHost: Triggered on IP entities, retrieves geolocation, ASN, WHOIS, services, and DNS data
CensysEntityEnrichmentWebProperty: Triggered on DNS entities, queries web properties on ports 80/443 by default
CensysEntityEnrichmentCertificate: Triggered on FileHash entities, provides certificate metadata and associated services

Alert Processing:

CensysAlertEnrichment: Processes alert entities (IP, domain, certificate SHA256), ingests data to custom tables
CensysAlertRescan: Manual rescan capability for updated asset intelligence with workbook integration

Infrastructure:

CensysAddIncidentComment: Sub-playbook handling enrichment data formatting and incident comment injection

Data Ingestion

Creates custom Log Analytics tables for historical analysis:

CensysHost_CL - Host/IP enrichment data
Censyswebproperty_CL - Web property intelligence
CensysCert_CL - Certificate metadata
CensysHostAlert_CL, CensysWebPropertyAlert_CL, CensysCertificateAlert_CL - Alert-triggered enrichment

Deployment Requirements

Censys API token stored in Azure Key Vault (secret: Censys-Access-Token)
Censys Organization ID for API authentication
Automation rules configured for entity-triggered enrichment
Sequential deployment required (CensysAddIncidentComment first, then entity enrichment playbooks)

Operational Value

Provides SOC teams with contextual threat intelligence for IOCs during incident investigation, including geolocation, infrastructure ownership, service exposure, and certificate chain analysis.

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/CensysCert_CL.json
.script/tests/KqlvalidationsTests/CustomTables/CensysCertificateAlert_CL.json
.script/tests/KqlvalidationsTests/CustomTables/CensysCertificate_CL.json
.script/tests/KqlvalidationsTests/CustomTables/CensysHostAlert_CL.json
.script/tests/KqlvalidationsTests/CustomTables/CensysHost_CL.json
.script/tests/KqlvalidationsTests/CustomTables/CensysRelatedAssetsDetails_CL.json
.script/tests/KqlvalidationsTests/CustomTables/CensysRescanHostAlert_CL.json
.script/tests/KqlvalidationsTests/CustomTables/CensysRescanHost_CL.json
.script/tests/KqlvalidationsTests/CustomTables/CensysRescanWebPropertyAlert_CL.json
.script/tests/KqlvalidationsTests/CustomTables/CensysRescanWebProperty_CL.json
.script/tests/KqlvalidationsTests/CustomTables/CensysWebPropertyAlert_CL.json
.script/tests/KqlvalidationsTests/CustomTables/Censys_Certificate_IOC_CL.json
.script/tests/KqlvalidationsTests/CustomTables/Censys_Host_History_Data_CL.json
.script/tests/KqlvalidationsTests/CustomTables/Censys_Host_IOC_CL.json
.script/tests/KqlvalidationsTests/CustomTables/Censys_Host_Services_CL.json
.script/tests/KqlvalidationsTests/CustomTables/Censys_Web_Property_Endpoint_CL.json
.script/tests/KqlvalidationsTests/CustomTables/Censys_Web_Property_IOC_CL.json
.script/tests/KqlvalidationsTests/CustomTables/Censys_Web_Property_Threat_CL.json
.script/tests/KqlvalidationsTests/CustomTables/Censys_Web_Property_Vuln_CL.json
.script/tests/KqlvalidationsTests/CustomTables/Censyswebproperty_CL.json
.script/tests/KqlvalidationsTests/CustomTables/Incident_Enrich_Data_CL.json
Logos/Censys.svg
Sample Data/Custom/CensysCert_CL.csv
Sample Data/Custom/CensysCertificateAlert_CL.csv
Sample Data/Custom/CensysCertificate_CL.csv
Sample Data/Custom/CensysHostAlert_CL.csv
Sample Data/Custom/CensysHost_CL.csv
Sample Data/Custom/CensysRelatedAssetsDetails_CL.csv
Sample Data/Custom/CensysRescanHostAlert_CL.csv
Sample Data/Custom/CensysRescanHost_CL.csv
Sample Data/Custom/CensysRescanWebPropertyAlert_CL.csv
Sample Data/Custom/CensysRescanWebProperty_CL.csv
Sample Data/Custom/CensysWebPropertyAlert_CL.csv
Sample Data/Custom/Censys_Certificate_IOC_CL.csv
Sample Data/Custom/Censys_Host_History_Data_CL.csv
Sample Data/Custom/Censys_Host_IOC_CL.csv
Sample Data/Custom/Censys_Host_Services_CL.csv
Sample Data/Custom/Censys_Web_Property_Endpoint_CL.csv
Sample Data/Custom/Censys_Web_Property_IOC_CL.csv
Sample Data/Custom/Censys_Web_Property_Threat_CL.csv
Sample Data/Custom/Censys_Web_Property_Vuln_CL.csv
Sample Data/Custom/Censyswebproperty_CL.csv
Sample Data/Custom/Incident_Enrich_Data_CL.csv
Solutions/Censys/Package/testParameters.json
Solutions/Censys/Playbooks/CensysAddIncidentComment/CensysAddIncidentComment.png
Solutions/Censys/Playbooks/CensysAddIncidentComment/Enrichment comment.png
Solutions/Censys/Playbooks/CensysAddIncidentComment/Host comment.png
Solutions/Censys/Playbooks/CensysAddIncidentComment/README.md
Solutions/Censys/Playbooks/CensysAddIncidentComment/azuredeploy.json
Solutions/Censys/Playbooks/CensysAddIncidentComment/certificate comment.png
Solutions/Censys/Playbooks/CensysAddIncidentComment/web property comments.png
Solutions/Censys/Playbooks/CensysAlertEnrichment/CensysAlertEnrichment.png
Solutions/Censys/Playbooks/CensysAlertEnrichment/README.md
Solutions/Censys/Playbooks/CensysAlertEnrichment/azuredeploy.json
Solutions/Censys/Playbooks/CensysAlertRescan/CensysAlertRescan.png
Solutions/Censys/Playbooks/CensysAlertRescan/README.md
Solutions/Censys/Playbooks/CensysAlertRescan/azuredeploy.json
Solutions/Censys/Playbooks/CensysEntityEnrichmentCertificate/CensysEntityEnrichmentCertificate.png
Solutions/Censys/Playbooks/CensysEntityEnrichmentCertificate/README.md
Solutions/Censys/Playbooks/CensysEntityEnrichmentCertificate/azuredeploy.json
Solutions/Censys/Playbooks/CensysEntityEnrichmentHost/CensysEntityEnrichmentHost.png
Solutions/Censys/Playbooks/CensysEntityEnrichmentHost/README.md
Solutions/Censys/Playbooks/CensysEntityEnrichmentHost/azuredeploy.json
Solutions/Censys/Playbooks/CensysEntityEnrichmentWebProperty/CensysEntityEnrichmentWebProperty.png
Solutions/Censys/Playbooks/CensysEntityEnrichmentWebProperty/README.md
Solutions/Censys/Playbooks/CensysEntityEnrichmentWebProperty/azuredeploy.json
Solutions/Censys/Playbooks/CensysHostHistory/CensysHostHistory.png
Solutions/Censys/Playbooks/CensysHostHistory/README.md
Solutions/Censys/Playbooks/CensysHostHistory/azuredeploy.json
Solutions/Censys/Playbooks/CensysIOCLookup/CensysIOCLookup.png
Solutions/Censys/Playbooks/CensysIOCLookup/README.md
Solutions/Censys/Playbooks/CensysIOCLookup/azuredeploy.json
Solutions/Censys/Playbooks/CensysIncidentEnrichment/CensysIncidentEnrichment.png
Solutions/Censys/Playbooks/CensysIncidentEnrichment/README.md
Solutions/Censys/Playbooks/CensysIncidentEnrichment/azuredeploy.json
Solutions/Censys/Playbooks/CensysRescan/CensysRescan.png
Solutions/Censys/Playbooks/CensysRescan/README.md
Solutions/Censys/Playbooks/CensysRescan/azuredeploy.json
Solutions/Censys/Workbooks/Censys.json
Workbooks/Images/Logos/Censys.svg
Workbooks/Images/Preview/CensysBlack1.png
Workbooks/Images/Preview/CensysBlack2.png
Workbooks/Images/Preview/CensysBlack3.png
Workbooks/Images/Preview/CensysBlack4.png
Workbooks/Images/Preview/CensysBlack5.png
Workbooks/Images/Preview/CensysWhite1.png
Workbooks/Images/Preview/CensysWhite2.png
Workbooks/Images/Preview/CensysWhite3.png
Workbooks/Images/Preview/CensysWhite4.png
Workbooks/Images/Preview/CensysWhite5.png
Workbooks/WorkbooksMetadata.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Censys.json, createUiDefinition.json, mainTemplate.json)

What Changed#

Playbook Capabilities#

Data Ingestion#

Deployment Requirements#

Operational Value#

Affected Files#