Shodan

With this integration, users have the ability to enrich indicators via Shodan to make more informed decisions and send infrastructure indicators to Shodan to help determine if there is a security concern that needs to be addressed. The Playbook automates:

• The querying of Shodan for information and context about an indicator.
• The parsing of relevant information from the Shodan response.
• The saving of relevant enrichment information inside ThreatConnect.
• Displaying of the results to the user for real-time feedback.

The follow actions are available:

• DNS Lookup
• Reverse DNS Lookup
• Search Shodan
• Get Enrichment
• Parse Results

This listing can be found in the ThreatConnect App Catalog under the name Shodan.

Polarity's Shodan integration gives users access to automated IPv4 and IPv6 lookups against the Shodan Host REST API. Enabling analysts to get a quick picture of internet connected devices, allowing them to know if anything is potentially off with some of the data they are analyzing.

Examples

Shodan Data Overview

• Summary Tags: Quickly understand where an IP is coming from and if there are any open ports associated with it. Enabling analysts to understand if there is anything out of the ordinary.
• Summary Details: Get a quick understanding on information about the indicators such as the location, associated host names, last known date the information was updated and the ASN.
• Ports: Quickly get an understanding of all the open ports and protocols associated with those ports.
• Additional Details: Find additional details about the indicator from information about macs, ciphers, and ssh fingerprints.

The Polarity - Shodan InternetDB integration enables analysts to get a quick view of what ports, CPEs, and Shodan tags are associated with an IP address. Enabling analysts to move quickly when triaging lots of different indicators.

Examples

Shodan InternetDB Data Overview

• Summary Tags: Analysts will quickly be able to identify all open ports with the IP.
• Shodan Tags: When drilling into the details of the integration, analysts will be able to see all associated tags.
• CPEs: If there are any common platform enumerations associated with the IP then analysts can quickly see those associations.
• Host Names: Identify if there are any associated host names with IP address