Enricher - Shodan IPs & Domains

Note

This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.

Enricher name	Shodan
Valid Observable types	Domain, ipv4, ipv6
Description	Enriches supported Observable types by creating an Indicator entity with the following information, when available: country name, city name, ZIP code, longitude, latitude, organization name, host name, IP address, open ports and services related to input IP addresses and Domains. If information about CVEs is found, an Exploit target entity is created and related through Observables.
API endpoint	https://api.shodan.io/shodan

Requirements

Users need an API key for their own configuration. Sign up and subscribe to the service to obtain the required API key credentials to access the API endpoint exposing the service.

Configure the enricher parameters

1. Edit the enricher.

2. From the Observable types drop-down menu, select one or more observable types you want to enrich with data retrieved through the enricher.

3. The API URL field is automatically filled in with the default domain for the endpoint.
   You can add a proxy or set up ports according to your needs.
   Default value: https://api.shodan.io/.

4. In the API key field, enter the Shodan Enter the API key to access the intelligence provider API and to consume the available services through their API endpoints.

5. To store your changes, click Save; to discard them, click Cancel.

Additional information

Polling the Shodan API through the Shodan enricher may consume Shodan credits.

Searching Shodan via the API uses query credits when:

• The search query uses a search filter.

• The retrieved search query results span beyond page one, and you request page 2 or beyond.

The Shodan enricher uses pagination. Therefore, if it requests results extending to page 2 or beyond, it consumes query credits.

For further details see Shodan Credits Explained.