Weekly_Shodan_Query___Report_Accidents__no_function_node_

Automated workflow for Shodan that runs weekly to monitor and report unexpected open ports on specified IP addresses. It fetches IP and port data, scans for services, filters for anomalies, and formats findings into a Markdown report. Alerts are then created in TheHive for immediate incident response, enhancing network security and oversight.

7/8/2025
15 nodes
Complex
gchvocimoxoevnzpqpjkatvlsxxtre8uschedulecomplexitemlistsfiltermarkdownsplitinbatchessticky noteschedule triggerthehiveautomationadvancedapiintegrationcron
Categories:
Schedule TriggeredComplex WorkflowTechnical Infrastructure & DevOps
Integrations:
ItemListsFilterMarkdownSplitInBatchesSticky NoteSchedule TriggerTheHive

Target Audience

This workflow is ideal for:
- Network Security Analysts: To monitor and identify unexpected open ports in their network.
- IT Security Teams: To automate the process of checking IP addresses and ports for vulnerabilities.
- System Administrators: To ensure that only authorized services are running on their servers.
- Incident Response Teams: To quickly respond to security alerts generated by unexpected open ports.

Problem Solved

This workflow addresses the challenge of monitoring network integrity by automating the detection of unexpected open ports on monitored IP addresses. It provides a systematic approach to identify potential security risks, ensuring that organizations can respond proactively to threats. By integrating with Shodan, it leverages real-time data to enhance network security.

Workflow Steps

  • Scheduled Trigger: The workflow initiates every Monday at 5 AM to ensure regular monitoring.
    2. Get Watched IPs & Ports: It fetches a list of IP addresses and their associated ports from a security system, expecting data in a specific JSON format.
    3. Iterate Through IP Addresses: The workflow processes each IP address one at a time to maintain focus and performance.
    4. Scan Each IP: For each IP, it queries the Shodan API to retrieve details about the services running on the specified ports.
    5. Split Out Services: The response is parsed to extract the services for further analysis.
    6. Check for Unexpected Ports: A filter checks if the ports returned are expected; if not, the workflow proceeds to set data for reporting.
    7. Prepare Data for Markdown Table: Information about the IP, hostnames, port, and description is formatted for reporting.
    8. Convert to HTML Table: The data is converted into an HTML table format for better visualization.
    9. Convert to Markdown: The HTML table is then transformed into a Markdown format for easy integration into reports.
    10. Create Alert in TheHive: If unexpected open ports are found, an alert is created in TheHive for incident management.

    • Customization Guide

    To customize this workflow:
    - Change Schedule: Modify the schedule trigger to run at a different time or frequency, based on your monitoring needs.
    - Update API Calls: Replace the Shodan API call with your own security system's API to fetch IPs and ports.
    - Adjust Filter Conditions: Modify the filter conditions to define what constitutes an 'unexpected' port based on your organization's security policy.
    - Enhance Reporting: Customize the Markdown table format or add additional fields to the alert created in TheHive for more detailed reporting.
    - Error Handling: Implement error handling mechanisms to address potential issues with API calls or data formatting.