Hello,
I have a few questions about the behavior of the certificate Timeline view. I would appreciate your clarification on the following points.
As an example, while reviewing the Timeline for a particular certificate, I noticed some behaviors that I would like to confirm.
- Meaning of the "Results" count in the Timeline
When checking the Timeline for the certificate, the UI shows Results: 178 (see attached screenshot).I would like to confirm what this number represents.
Does this number indicate the total number of host observations (each timeline bar/event) rather than the number of unique hosts that used the certificate?
- Timeline filters do not seem to be applied correctly
When applying Port and Protocol filters in the Timeline, the results appear to include entries that do not match the selected filters.
Port filter example:
When filtering by Port 443, entries with other ports (e.g., 8080) still appear in the results (see attached screenshot).
Could you please confirm this behavior?
Protocol filter example:
When filtering by Protocol: HTTP, entries labeled "COBALT_STRIKE" are also displayed in the results (see attached screenshot).
Could you please confirm this behavior as well?
-
Difference between UI results and API results
For the same certificate, I queried the following API endpoint with the same conditions:
https://docs.censys.com/reference/v3-threathunting-get-host-observations-with-certificate
The API returned a total of 117 results, while the Timeline UI shows 178 results.
Which number should be considered the correct count?
Also, could you explain the reason for this discrepancy between the UI and API results?
Thank you for your help.
Best,
Kurumi