Playbook Fridays: Enriching Indicators with Shodan


Enriching indicators with Shodan

ThreatConnect developed the Playbooks capability to help analysts automate time consuming and repetitive tasks so they can focus on what is most important. And in many cases, to ensure the analysis process can occur consistently and in real time, without human intervention.

Why Was the Playbook Created?

A customer requested a way to enrich indicators via Shodan (a search engine that lets the user find specific types of computers connected to the internet using a variety of filters) in order to make more informed decisions. Additionally, they wanted to send their own infrastructure indicators to Shodan to help determine if there was a security concern that needed to be addressed.

This Playbook is designed to help solve a lack of understanding about a particular indicator as well as help to determine whether corporate infrastructure may be exposed to would-be adversaries.

By automating the use of Shodan, an analyst no longer has to open a new browser tab, log into Shodan, conduct a manual search of the indicator and then copy and paste the results back into ThreatConnect. This not only frees the analyst up for more important tasks, but ensures consistency in the analysis process and enables further actions to be taken based upon consistently formatted results.  The playbook automates:

  • The querying of Shodan for information about an indicator.
  • The parsing of relevant information from the Shodan response.
  • The saving of relevant enrichment information inside ThreatConnect.
  • Displaying of the results to the user for real-time feedback.  

How it Works:

  1. When the playbook is triggered, the indicator is sent to the playbook for processing.
  2. The HTTP Client is used to query the Shodan API for information about the indicator.
  3. Next, the JSON Parser app is used to parse the response from the Shodan API for Operating System information, open ports, and any known Hostnames associated with the indicator.
  4. Sometimes, the data type of an output variable needs to be changed before it can be utilized in another application.  Next, we use the Join Array app to convert StringArrays into Strings in order to be added as an attribute in a later step.
  5. Sometimes there is no Operating System information available in Shodan, so I used the Set Variable app to go ahead and handle the possibility of no Operating System info.
  6. All of the information gathered is then stored as an Attribute called “Shodan Enrichment Results” associated to the indicator that was sent.
  7. Depending on what information was returned by  Shodan, a combination of Set Variable apps and Merge operators are used to ensure a valid response is returned to the analyst and saved as an attribute..
  8. Finally, we save the parsed results as an indicator attribute in ThreatConnect and display the results to the user for immediate feedback.  


It’s important to note that we did not write a single line of code to build this playbook with Shodan and relied entirely on utility apps provided in ThreatConnect playbooks to “build the integration”.  This showcases the power and extensibility of ThreatConnect as a true Platform.  If an integration doesn’t exist, you can easily create one using the built-in capabilities of ThreatConnect Playbooks.

How to Build It:

  1. Templates are found in the Templates section of the Playbooks dashboard. Import the Shodan Enrichment template to get started..  
  2. Enter the requested variable information during the import step to speed up configuration.
  3. Review the configuration of the trigger and apps to ensure they are accurate for your organization.
  4. Activate the Playbook.
  5. If using the default User Action trigger you can trigger the Playbook by pressing the “Get Shodan Enrichment” user action on a ThreatConnect indicator detail page.


Read the rest of the Playbooks blog series:
Playbook Fridays: How to Build a Playbook in ThreatConnect

Playbook Fridays: How To Control The Cloud With Playbooks

About the Author

With ThreatConnect, security analysts can simultaneously coordinate with incident response, security operations and risk management teams while aggregating data from trusted communities. Your team will be better equipped to protect the organization from modern cyber threats, mitigate risk and address strategic business needs all thorough a single, robust platform.