Shodan is an Open Source Intelligence (OSINT) tool used for tracking security flaws in devices, networked hardware and software, control systems, IOT devices like security cameras, medical equipment, and other devices that are exposed via the internet.

Query integrates with Shodan’s REST APIs to provide threat intelligence and enrichment. See our integration documentation here.

Once you have completed integration, your Query federated searches will start to show you relevant OSINT context on any supported entity you are investigating.

For example:

  • If any users or devices belonging to the organization communicated with a public IP, you now have a rich OSINT context of the services running behind that IP. 
  • If the analyst is investigating any organizational asset, they can get an idea of the exposure of that asset via the internet, i.e. the services running, and their vulnerabilities.

The integration normalizes data pulled from Shodan into Query’s OCSF based QDM (Query Data Model) which then enables cross-platform joins, compounding the analyst’s ability to investigate. For any public IP or domain, QDM extracts and maps the data into IP Threat Intel and Domain Threat Intel objects. The analysts can see IP Address, Domains, Network Ports, Hostnames, ASN, ISP, Geo Location info, and additional data labels and attributes needed to investigate.

Depending on the other integrations in your Query instance, analysts can find:

  • Which devices communicated with the above public IP or domain.
  • Who are the users on these devices and what is their role.
  • Additional alerts correlated with the user or the device, such as based upon email, web, or file activity.
  • Relevant follow up searches to get vulnerability or malware information associated with related entities like files, processes, and applications on that device.