topic Re: How can I use Shodan data with Splunk Enterprise Security? in Splunk Enterprise Security

How can I use Shodan data with Splunk Enterprise Security?

rickettw — Mon, 03 Oct 2016 18:29:12 GMT

I am starting to use Enterprise Security to monitor IT security metrics in my enterprise. I am aware of Shodan and have downloaded reports in the past when i did searches for my interfacing IP addresses and to monitor for vulnerabilities. I was recently at .conf2016 and during one of the breakouts, the speaker asked for a show of hands how many have heard of or are using Shodan. So my question is, how i can use Shodan data within Splunk, or more specifically with ES?

Re: How can I use Shodan data with Splunk Enterprise Security?

guarisma — Mon, 03 Oct 2016 19:33:27 GMT

You will have to interact with shodan's API to pull the information you need and get it into splunk, probably by using a scripted input.
Here's a link to Shodan Developer website for more information: https://developer.shodan.io/

Re: How can I use Shodan data with Splunk Enterprise Security?

LukeMurphey — Mon, 03 Oct 2016 20:37:33 GMT

I can see three ways:

Workflow action: allow users to open the Shodan web UI in the users browser
Adaptive Response Action: get info from Shodan in a way that it can be viewed on Incident Response. To work best with ES, this should be a full Adaptive Response Action (not just a plain Alert Action).
Modular Input: to keep retrieving information for a particular host (if you want to monitor changes in hosts)

I think number 2 is the most important. I'm seriously thinking of making that alert action. I'll update this comment if I can get time to do it; I don't think it will take me long.