- 04 Oct 2023
- 5 Minutes to read
-
Print
-
DarkLight
Shodan Enrichment
- Updated on 04 Oct 2023
- 5 Minutes to read
-
Print
-
DarkLight
Enabling the Shodan Enrichment
Before you can retrieve data from Shodan®, a System Administrator must first enable and configure the Shodan enrichment in ThreatConnect.
- Log into ThreatConnect with a System Administrator account.
- On the top navigation bar, hover over Settingsand select System Settings. The System Settings screen will be displayed with the Settings tab selected.
- Select the Indicators tab. The Indicators screen will be displayed.
- Click Enrichment Tools in the menu on the left side of the Indicators screen. The Enrichment Tools screen will be displayed.
- Click Editin the Options column for Shodan. The Edit Vendor window will be displayed (Figure 1).
- Enable Vendor: Select this checkbox to enable Shodan.
- Enable Automatic Retrieval: Select this checkbox to enable automatic data retrieval for Shodan. If automatic data retrieval is enabled, Shodan data will automatically populate when a user clicks on an Indicator’s Enrichment tab for the first time. This checkbox is selected by default.
- API Key: Enter the API key that will be used to retrieve data from Shodan.
- VALIDATE: After entering the Shodan API key, click this button to validate it. If the API key is accepted, the VALIDATE button’s label will change to VALID, indicating that a valid API key has been entered. If the API key is not accepted, a message stating “API Key is invalid.” will be displayed at the top of the Edit Vendor window.
- Lookup/Retrieve: Select the Indicator type(s) for which to retrieve data from Shodan. The only available Indicator type is Address.
- Click the SAVE button.
When Shodan is enabled, a value of true will be displayed in the Enabled column for its entry on the Enrichment Tools screen.
Data Overview
The Overview section of the Shodan card (Figure 2) provides a summary of data retrieved from Shodan for an Address Indicator and the date and time the data were last retrieved.
- HostNames: The hostname(s) associated with the Address.
- Domains: The domain(s) associated with the Address.
- Tags: The tag(s) applied to the Address in Shodan.
- Cloud Provider: The cloud provider associated with the Address.
- Cloud Region: The region associated with the Address’ cloud provider.
- Country: The country associated with the Address.
- City: The city associated with the Address.
- Organization: The registering organization associated with the Address.
- ISP: The internet service provider (ISP) associated with the Address.
- ASN: The autonomous system number (ASN) associated with the Address.
- OpenPorts: The port(s) open on the Address.
- Last Updated: The date and time when data for the Address were last updated in Shodan.
Shodan Detailed View
Click the Open Detailed View link on the Shodan card to display the Shodan Detailed View drawer (Figure 3). This drawer displays cards with additional data retrieved from Shodan.
The cards displayed on the Shodan Detailed View drawer are collapsed by default. Click on a card to expand it and view its data. To collapse or expand all cards, click the Collapse All or Expand All button, respectively, at the top right of the drawer. Figure 4 shows the Shodan Detailed View drawer in Figure 3 with all available cards expanded.
See Table 1 for a list of cards that may be displayed on the Shodan Detailed View drawer for an Address Indicator.
Card Name | Description |
---|---|
TCP:<port number> | This card displays the details of the Transmission Control Protocol (TCP) port number open on the Address. Details about the product and Secure Sockets Layer (SSL) certificate may also be displayed, if available. |
UDP:<port number> | This card displays the details of the User Datagram Protocol (UDP) port number open on the Address. Details about the product and SSL certificate may also be displayed, if available. |
Unverified Vulnerabilities | This card displays a list of vulnerabilities that may or may not affect the Indicator and are implied based on metadata (e.g., software, version) collected by Shodan. Details displayed include the Common Vulnerabilities and Exposures (CVE) ID number, the affected port number, and a description of the CVE. |
Verified Vulnerabilities | This card displays a list of verified vulnerabilities that affect the Address. Details displayed include the CVE ID number, the affected port number, and a description of the CVE. |
Importing Vulnerabilities From Shodan Into ThreatConnect
When viewing the Unverified Vulnerabilities or Verified Vulnerabilities cards on the Shodan Detailed View drawer, you may import all or a subset of the vulnerabilities into ThreatConnect as Vulnerability Groups and associate them to the enriched Indicator (i.e., the Indicator whose Details screen you are viewing).
- On the Shodan Detailed View drawer, expand the Unverified Vulnerabilities or Verified Vulnerabilities card to display a table containing vulnerabilities retrieved from Shodan that are related to the enriched Indicator (Figure 4).
- On the expanded Unverified Vulnerabilities or Verified Vulnerabilities card, select the checkbox for each vulnerability you want to import into ThreatConnect. To select all vulnerabilities displayed on the current page in the table, select the checkbox in the table’s header.
- Click the Import button at the top left of the expanded Unverified Vulnerabilities or Verified Vulnerabilities card. The Import Groups window will be displayed (Figure 5).
- Group Details: In this section, you can fill out the following information for the Vulnerability Group(s) that will be created and associated to the enriched Indicator:
- New Groups to be Imported & Associated: This section displays a list of vulnerabilities that will be imported into ThreatConnect as Vulnerability Groups. Each Group’s name will include the vulnerability’s name and port number (e.g., CVE-2021-23017 on port 81), and the value listed in the Description column will be set as the Group’s default Description. To remove a vulnerability from this list, click Remove.
- Click the Import Groups button.
The selected vulnerabilities will be imported into ThreatConnect as Vulnerability Groups and associated to the enriched Indicator, and the Associations tab of the Indicator’s Details screen will be displayed. The associated Vulnerability Groups will be displayed on the Groups card of the Associations tab . You may also view these associations on the Associations card of the Indicator’s legacy Details screen, under the Associated Groups section when the card is in table view.
Retrieving Data Manually
When you click on an Address Indicator’s Enrichment tab for the first time, data will be retrieved from Shodan automatically if your System Administrator has enabled automatic data retrieval for Shodan. Otherwise, a message stating that “Automatic Data Retrieval has been disabled by the System Administrator” will be displayed on the card, and you will need to click the Retrieve Data button to populate the card with data. Once data have been retrieved, they will be cached for a period of time configured by your System Administrator. Each time you revisit that Indicator’s Enrichment tab, the cached Shodan data will be displayed until this period of time has passed.
To retrieve the latest Shodan data for the Indicator manually, click the Retrieve Data button.
Enriching Indicators Using the ThreatConnect API
You can also use the ThreatConnect v3 API to enrich Address Indicators with data from Shodan. For instructions on using the ThreatConnect v3 API to enrich Indicators, see Indicator Enrichment Overview.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
Shodan® is a registered trademark of Shodan.
20146-04 v.03.A