Shodan 2.0.0
App Vendor: Shodan
App Category: Data Enrichment & Threat Intelligence
Connector Version: 2.0.0
API Version: V1.0.0
About App
Shodan is a search engine that lets users search for various types of servers connected to the internet using a variety of filters. The Shodan app enables security teams to integrate with the Shodan enterprise application to monitor domains, DNS, and domain and IP address reputation.
The Shodan app is configured with Cyware Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Add to Whitelist | This action adds the specified service to the whitelist, preventing network alerts from being triggered by the specified service for the defined conditions. |
Create Alert | This action creates a network alert to monitor a specified IP address or netblock range for changes or events. |
Delete Alert | This action deletes the specified network alert. |
Disable Trigger | This action disables the specified trigger, preventing notifications for events associated with it. |
Enable Trigger | This action enables the trigger to start receiving notifications when the specified conditions are met. |
Get Domain Information | This action retrieves all the subdomains and other DNS entries for the given domain. |
Get Host Information | This action retrieves all services associated with the given host IP address. |
Get Network Alert Details | This action retrieves the details of the specified alert. |
Get Scan Request Status | This action checks the progress of a previously submitted scan request for the specified port and protocol. |
List Alerts | This action retrieves a list of all the alerts. |
Lookup DNS | This action looks up the IP address for the given hostnames. |
Lookup Reverse DNS | This action looks up the hostnames for the given list of IP addresses. |
Remove from Whitelist | This action removes the specified service from the whitelist and resumes notifications for network alerts triggered by specific conditions. |
Scan Internet (Beta) | This action scans the internet to search for a specific port. |
Scan IP | This action scans the specified IP or netblock. |
Search Host | This action searches Shodan with query syntax and displays summarized property data using facets. |
Generic Action | This is a generic action used to make requests to any Shodan endpoint. |
Configuration Parameters
The following configuration parameters are required for the Shodan app to communicate with the Shodan enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
API Key | Enter the API key to access Shodan. | Password | Required | |
Verify | Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection. | Boolean | Optional | By default, verification is not enabled. |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with Shodan. | Integer | Optional | Allowed range: 15-120 Default value: 15 |
Action: Add to Whitelist
This action adds the specified service to the whitelist, preventing network alerts from being triggered by the specified service for the defined conditions.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the ID of the alert. Example: 12HR5I03CCVPMAKK | Text | Required | You can retrieve the alert ID using the action Action: List Alerts. |
Trigger | Enter the name of the trigger. Example: new_service | Text | Required | |
Service | Enter the service to add to the whitelist. Example: 1.1.1.1:80 | Text | Required | Allowed format: ip:port |
Example Request
[
{
"id": "12HR5I03CCVPMAKK",
"service": "1.1.1.1:53",
"trigger": "new_service"
}
]Action: Create Alert
This action creates a network alert to monitor a specified IP address or netblock range for changes or events.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Name | Enter the name of the alert. Example: DNS Alert | Text | Required | |
IP | Enter the list of IPs or network ranges in CIDR notation to define the criteria for triggering an alert. Example: "ip": ["8.8.8.8", "1.1.1.1"] | List | Required | |
Expires | Enter the number of seconds for which the alert should remain active. | Integer | Optional |
Example Request
[
{
"ip": [
"1.1.1.4"
],
"name": "DNS Alert"
}
]Action: Delete Alert
This action deletes the specified network alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the ID of the alert to delete. Example: Y5HT0KF1SSQUBT8V | Text | Required | You can retrieve the alert ID using the action Action: List Alerts. |
Example Request
[
{
"id": "Y5HT0KF1SSQUBT8V"
}
]Action: Disable Trigger
This action disables the specified trigger, preventing notifications for events associated with it.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the ID of the alert. Example: X0SU02ZC5CGP92F | Text | Required | You can retrieve the alert ID using the action Action: List Alerts. |
Trigger | Enter the name of the trigger to disable. Example: new_service | Text | Required |
Example Request
[
{
"id": "X0SU02ZC5CGP92FG",
"trigger": "new_service"
}
]Action: Enable Trigger
This action enables the trigger to start receiving notifications when the specified conditions are met.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the ID of the alert. Example: 12HR5I03CCVPMAKK | Text | Required | You can retrieve the alert ID using the action Action: List Alerts. |
Trigger | Enter the name of the trigger to enable. Example: new_service | Text | Required |
Example Request
[
{
"id": "12HR5I03CCVPMAKK",
"trigger": "new_service"
}
]Action: Get Domain Information
This action retrieves all the subdomains and other DNS entries for the given domain.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain Name | Enter the domain name. Example: example.com | Text | Required | |
History | Choose true to include historical DNS data in the response. | Boolean | Optional | Default value: false |
Type | Enter the DNS type | Text | Optional | Allowed values: A, AAAA, CNAME, NS, SOA, MX, TXT |
Page | Enter the page number to display results in batches of 100. | Integer | Optional | Default value: 1 |
Example Request
[
{
"domain_name": "example.com",
"extra_params": {}
}
]Action: Get Host Information
This action retrieves all services associated with the given host IP address.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IP Address | Enter the IP address to retrieve information. Example: 8.8.8.8 | Text | Required | |
History | Choose true to include historical DNS data in the response. | Boolean | Optional | Default value: false |
Minify | Choose true to truncate some of the larger fields. | Boolean | Optional | Default value: false |
Example Request
[
{
"ip": "8.8.8.8",
"extra_params": {}
}
]Action: Get Network Alert Details
This action retrieves the details of the specified alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the ID of the alert to retrieve its details. Example: X0SU02ZC5CGP92FG | Text | Required | You can retrieve the alert ID using the action Action: List Alerts. |
Example Request
[
{
"id": "X0SU02ZC5CGP92FG"
}
]Action: Get Scan Request Status
This action checks the progress of a previously submitted scan request for the specified port and protocol.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Scan ID | Enter the ID of the scan to check the status. Example: PkNjX0EyJ0rPL51p | Text | Required |
Example Request
[
{
"scan_id": "PkNjX0EyJ0rPL51p"
}
]Action: List Alerts
This action retrieves a list of all the alerts.
Action Input Parameters
No input parameters are required for this action.
Action: Lookup DNS
This action looks up the IP address for the given hostnames.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain Name | Enter the domain name to look up. Example: sampledomain.com | Any | Required |
Example Request
[
{
"domain_name": "sampledomain.com"
}
]Action: Lookup Reverse DNS
This action looks up the hostnames for the given list of IP addresses.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IP Address | Enter the comma-separated list of IP addresses. Example: $LIST[74.125.227.230,204.79.197.200] | Any | Required |
Example Request
[
{
"ip_address": "8.8.8.8"
}
]Action: Remove from Whitelist
This action removes the specified service from the whitelist and resumes notifications for network alerts triggered by specific conditions.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the ID of the alert. Example: oyprb8ir9z35azpr | Text | Required | You can retrieve the alert ID using the action Action: List Alerts. |
Trigger | Enter the name of the trigger. Example: new_service | Text | Required | |
Service | Enter the service to remove from the whitelist. Example: 1.1.1.1:80 | Str | Required | Allowed format: ip:port |
Example Request
[
{
"id": "12HR5I03CCVPMAKK",
"service": "1.1.1.1:53",
"trigger": "new_service"
}
]Action: Scan Internet (Beta)
This action scans the internet to search for a specific port.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Port | Enter the port number that Shodan should use to crawl the internet. Example: 80 | Integer | Required | |
Protocol | Enter the protocol name to query the specified port. Example: http | Text | Required |
Action: Scan IP
This action scans the specified IP or netblock.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IPs | Enter a comma-separated list of IPs or netblocks (in CIDR notation) to scan. Example: $JSON[{"1.1.1.1": [[53, "dns-udp"],[443, "https"]]}] | Text | Required |
Example Request
[
{
"ip": "1.1.1.1"
}
]Action: Search Host
This action searches Shodan with query syntax and displays summarized property data using facets.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the query to search. Example: product:nginx | Text | Required | |
Facets | Enter facets as a comma-separated list of properties for summary info. Use 'property:count' to specify the number of facets. Example: 'country:100' | Text | Optional | |
Page | Enter the page number to display results in batches of 100. | Integer | Optional | Default value: 1 |
Minify | Choose true to truncate some of the larger fields. | Boolean | Optional | Default value: true |
Example Request
[
{
"query": "product:nginx",
"extra_params": {}
}
]Action: Generic Action
This is a generic action used to make requests to any Shodan endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Method | Enter the HTTP method to make the request. | Text | Required | Allowed values: GET, PUT, POST, DELETE |
Endpoint | Enter the endpoint to make the request to. | Text | Required | |
Query Params | Enter the query parameters to pass to the API. | Key Value | Optional | |
Payload | Enter the payload to pass to the API. | Any | Optional | |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional | Allowed keys: payload_json, download, files, filename, retry_wait, retry_count, custom_output, response_type |
Example Request
[
{
"method": "PUT",
"endpoint": "/alert/{id}/trigger/{trigger}",
"query_params": {
"page": "0",
"size": "100"
}
]