Shodan v2
Shodan Pack.#
This Integration is part of theShodan is a search engine for Internet-connected devices. Unlike traditional search engines that index websites, Shodan indexes information about the devices connected to the internet, such as servers, routers, webcams, and other IoT devices.
#
Configure Shodan v2 in CortexParameter | Description | Required |
---|---|---|
API Key | False | |
Base URL to Shodan API | True | |
Trust any certificate (not secure) | False | |
Use system proxy settings | False | |
Source Reliability | Reliability of the source providing the intelligence data. | False |
The maximum number of events per fetch | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
searchSearches Shodan using facets to get summary information on properties.
#
Base Commandsearch
#
InputArgument Name | Description | Required |
---|---|---|
query | The query for searching the database of banners. The search query supports filtering using the "filter:value" format to narrow your search. For example, the query "apache country:DE" returns Apache web servers located in Germany. | Required |
facets | A CSV list of properties on which to get summary information. The search query supports filtering using the "property:count" format to define the number of facets to return for a property. For example, the query "country:100" returns the top 100 countries. | Optional |
page | The page number of the fetched results. Each page contains a maximum of 100 results. Default is 1. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Shodan.Banner.Org | String | The name of the organization to which the space of the IP address space for the searched device is assigned. |
Shodan.Banner.Isp | String | The Internet Service Provider that provides the organization with the IP address space for the searched device. |
Shodan.Banner.Transport | String | The IP address transport protocol used to fetch the summary information. Can be "UDP" or "TCP". |
Shodan.Banner.Asn | String | The Autonomous System Number. For example, "AS4837". |
Shodan.Banner.IP | String | The IP address of the host as a string. |
Shodan.Banner.Port | Number | The port number on which the service is operating. |
Shodan.Banner.Ssl.versions | String | The list of SSL versions that are supported by the server. Unsupported versions are prefixed with a "-". For example, ["TLSv1", "-SSLv2"] means that the server supports TLSv1, but does not support SSLv2. |
Shodan.Banner.Hostnames | String | An array of strings containing all of the host names that have been assigned to the IP address for the searched device. |
Shodan.Banner.Location.City | String | The city in which the searched device is located. |
Shodan.Banner.Location.Longitude | Number | The longitude of the geolocation of the searched device. |
Shodan.Banner.Location.Latitude | Number | The latitude of the geolocation of the searched device. |
Shodan.Banner.Location.Country | String | The country in which the searched device is located. |
Shodan.Banner.Timestamp | Date | The timestamp in UTC format indicating when the banner was fetched from the searched device. |
Shodan.Banner.Domains | String | An array of strings containing the top-level domains for the host names of the searched device. It is a utility property for filtering by a top-level domain instead of a subdomain. It supports handling global top-level domains that have several dots in the domain. For example, "co.uk". |
Shodan.Banner.OS | String | The operating system that powers the searched device. |
#
Command Example!search query="country:HK org:RLL-HK -port:80 -port:443 -port:21 -port:25 has_ssl:false" using-brand=Shodan_v2
#
Context Example#
Human Readable OutputSearch results for query "country:HK org:RLL-HK -port:80 -port:443 -port:21 -port:25 has_ssl:false" - page 1, facets: None |IP|Port|Timestamp| |---|---|---| | 1.2.3.4 | 5353 | 2021-08-17T03:13:54.617598 |
#
ipReturns all services that have been found on the IP address of the searched host.
#
Base Commandip
#
InputArgument Name | Description | Required |
---|---|---|
ip | The IP address of the host. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IP.ASN | Unknown | The Autonomous System Number. |
IP.Address | Unknown | The IP address. |
IP.Geo.Country | Unknown | The country of a given IP address. |
IP.Geo.Description | Unknown | The description of the location. |
IP.Geo.Location | Unknown | The latitude and longitude of an IP address. |
IP.Hostname | Unknown | The hostname of the IP address. |
IP.Relationships | Unknown | The relationships between the ip and it's CVEs. |
Shodan.IP.Tags | String | The tags associated with the IP address. |
Shodan.IP.Latitude | Number | The latitude of the geolocation of the searched device. |
Shodan.IP.Org | String | The name of the organization to which the IP space for the searched device is assigned. |
Shodan.IP.ASN | String | The Autonomous System Number. For example, "AS4837". |
Shodan.IP.ISP | String | The Internet Service Provider that provides the organization with the IP space for the searched device. |
Shodan.IP.Longitude | Number | The longitude of the geolocation of the searched device. |
Shodan.IP.LastUpdate | Date | The timestamp in UTC format indicating when the banner was fetched from the searched device. |
Shodan.IP.CountryName | String | The country in which the searched device is located. |
Shodan.IP.OS | String | The operating system on which the searched device is running. |
Shodan.IP.Port | Number | The port number on which the service is operating. |
Shodan.IP.Address | String | The IP address of the host as a string. |
Shodan.IP.Vulnerabilities | Unknown | A list of Vulnerabilities. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Score | Number | The actual score. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
#
Command Example!ip ip="8.8.8.8" using-brand="Shodan_v2"
#
Context Example#
Human Readable OutputShodan details for IP 8.8.8.8 |ASN|Country|Hostname|ISP|Location|Ports| |---|---|---|---|---|---| | AS15169 | United States | dns.google | Google LLC | 37.406,-122.078 | 53 |
#
shodan-search-countReturns the total number of results that match only the specified query or facet settings. This command does not return host results. This command does not consume query credits.
#
Base Commandshodan-search-count
#
InputArgument Name | Description | Required |
---|---|---|
query | The query for searching the database of banners. The search query supports filtering using the "filter:value" format to narrow your search. For example, the query "apache country:DE" returns Apache web servers located in Germany. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Shodan.Search.ResultCount | Number | The number of results matched in the search query. |
#
Command Example!shodan-search-count query="country:HK product:Apache"
#
Context Example#
Human Readable Output498645 results for query "country:HK product:Apache"
#
shodan-scan-ipRequests Shodan to crawl a network.
#
Base Commandshodan-scan-ip
#
InputArgument Name | Description | Required |
---|---|---|
ips | A CSV list of IP addresses or netblocks for Shodan to crawl defined in CIDR notation. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Shodan.Scan.ID | String | The unique ID of the scan. |
Shodan.Scan.Status | String | The status of the scan. |
#
Command Example!shodan-scan-ip ips=8.8.8.8
#
Context Example#
Human Readable OutputScanning results for scan wQEp0bIIEHklpAwa |ID|Status| |---|---| | wQEp0bIIEHklpAwa | PROCESSING |
#
shodan-scan-internetRequests for Shodan to perform a scan on the specified port and protocol.
#
Base Commandshodan-scan-internet
#
InputArgument Name | Description | Required |
---|---|---|
port | The port for which Shodan crawls the Internet. | Required |
protocol | The name of the protocol used to interrogate the port. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Shodan.Scan.ID | String | The ID of the initial scan. |
#
Command Example
#
Human Readable Output#
shodan-scan-statusChecks the progress of a previously submitted scan request on the specified port and protocol.
#
Base Commandshodan-scan-status
#
InputArgument Name | Description | Required |
---|---|---|
scanID | The unique ID of the initial scan. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Shodan.Scan.Id | String | The unique ID of the scan request checked for progress. |
Shodan.Scan.Status | String | The status of the scan job checked for progress. |
#
Command Example!shodan-scan-status scanID=7rbp1CAtx91BMwcg
#
Context Example#
Human Readable OutputScanning results for scan 7rbp1CAtx91BMwcg |ID|Status| |---|---| | 7rbp1CAtx91BMwcg | DONE |
#
shodan-create-network-alertCreates a network alert for a defined IP address or netblock used for subscribing to changes or events that are discovered within the netblock's range.
#
Base Commandshodan-create-network-alert
#
InputArgument Name | Description | Required |
---|---|---|
alertName | The name of the network alert. | Required |
ip | A list of IP addresses or network ranges defined in CIDR notation. | Required |
expires | The number of seconds for the network alert to remain active. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Shodan.Alert.ID | String | The ID of the subscription of the specified network alert. |
Shodan.Alert.Expires | String | The number of seconds that the specified network alert remains active. |
#
Command Example!shodan-create-network-alert alertName="test_alert" ip="1.1.1.1"
#
Context Example#
Human Readable OutputAlert ID CB68M776ICCMS36L |Expires|IP|Name| |---|---|---| | 0 | 1.1.1.1 | test_alert |
#
shodan-network-get-alert-by-idGets the details of a network alert.
#
Base Commandshodan-network-get-alert-by-id
#
InputArgument Name | Description | Required |
---|---|---|
alertID | The ID of the network alert. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Shodan.Alert.ID | String | The ID of the subscription of the network alert. |
Shodan.Alert.Expires | String | The number of seconds that the network alert remains active. |
#
Command Example!shodan-network-get-alert-by-id alertID="0EKRH38BBQEHTQ3E"
#
Context Example#
Human Readable OutputAlert ID 0EKRH38BBQEHTQ3E |Expires|IP|Name| |---|---|---| | 0 | 1.2.3.4 | test_alert |
#
shodan-network-get-alertsGets a list of all created network alerts.
#
Base Commandshodan-network-get-alerts
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
Shodan.Alert.ID | String | The IDs of the subscriptions of the network alerts. |
Shodan.Alert.Expires | String | The number of seconds that the network alerts remain active. |
#
Command Example!shodan-network-get-alerts
#
Context Example#
Human Readable OutputAlert ID VXGB6CZ536X5AWE6 |Expires|IP|Name| |---|---|---| | 0 | 1.1.1.1 | test_alert |
#
shodan-network-delete-alertRemoves the specified network alert.
#
Base Commandshodan-network-delete-alert
#
InputArgument Name | Description | Required |
---|---|---|
alertID | The ID of the network alert to remove. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!shodan-network-delete-alert alertID="0EKRH38BBQEHTQ3E"
#
Human Readable OutputDeleted alert 0EKRH38BBQEHTQ3E
#
shodan-network-alert-set-triggerEnables receiving notifications for network alerts that are set off by the specified triggers.
#
Base Commandshodan-network-alert-set-trigger
#
InputArgument Name | Description | Required |
---|---|---|
alertID | The ID of the network alert for which to enable notifications. | Required |
Trigger | The name of the trigger. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!shodan-network-alert-set-trigger alertID="0EKRH38BBQEHTQ3E" Trigger=any
#
Human Readable OutputSet trigger "any" for alert 0EKRH38BBQEHTQ3E
#
shodan-network-alert-remove-triggerDisables receiving notifications for network alerts that are set off by the specified triggers.
#
Base Commandshodan-network-alert-remove-trigger
#
InputArgument Name | Description | Required |
---|---|---|
alertID | The ID of the network alert for which to disable notifications. | Required |
Trigger | The name of the trigger. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!shodan-network-alert-remove-trigger alertID="0EKRH38BBQEHTQ3E" Trigger="any"
#
Human Readable OutputDeleted trigger "any" for alert 0EKRH38BBQEHTQ3E
#
shodan-network-alert-whitelist-serviceIgnores the specified services for network alerts that are set off by the specified triggers.
#
Base Commandshodan-network-alert-whitelist-service
#
InputArgument Name | Description | Required |
---|---|---|
alertID | The ID of the network alert for which to ignore the specified services. | Required |
trigger | The name of the trigger. | Required |
service | The service specified in the "ip:port" format. For example, "1.1.1.1:80". | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!shodan-network-alert-whitelist-service alertID="0EKRH38BBQEHTQ3E" trigger="any" service="1.1.1.1:80"
#
Human Readable OutputWhitelisted service "1.1.1.1:80" for trigger any in alert 0EKRH38BBQEHTQ3E
#
shodan-network-alert-remove-service-from-whitelistResumes receiving notifications for network alerts that are set off by the specified triggers.
#
Base Commandshodan-network-alert-remove-service-from-whitelist
#
InputArgument Name | Description | Required |
---|---|---|
alertID | The ID of the alert for which to resume the specified services. | Required |
trigger | The name of the trigger. | Required |
service | The service specified in the "ip:port" format. For example, "1.1.1.1:80". | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!shodan-network-alert-remove-service-from-whitelist alertID="0EKRH38BBQEHTQ3E" trigger="any" service="1.1.1.1:80"
#
Human Readable OutputRemoved service "1.1.1.1:80" for trigger any in alert 0EKRH38BBQEHTQ3E from the allow list
#
shodan-get-events
Retrieves events from Shodan.
#
Base Commandshodan-get-events
#
InputArgument Name | Description | Required |
---|---|---|
should_push_events | If set to 'True', the command will create events; otherwise, it will only display them. Possible values are: True, False. Default is False. | Optional |
start_date | Fetch events created after this date. You can also use relative terms like "3 days ago". Default is 3 days ago. | Optional |
max_fetch | The maximum amount of events to return. Default is 50000. | Optional |
#
Context OutputThere is no context output for this command.
#
Fetch EventsFetch process returns a listing of all the network alerts that are currently active on the account.
To enable the Shodan integration you need to have an API key, which you can get for free by creating a Shodan account https://account.shodan.io/register Once you have an API key, you insert it into the API Key field and click the Test button.
#
Rate LimitsAll API plans are subject to a rate limit of 1 request per second - docs