I am starting to use Enterprise Security to monitor IT security metrics in my enterprise. I am aware of Shodan and have downloaded reports in the past when i did searches for my interfacing IP addresses and to monitor for vulnerabilities. I was recently at .conf2016 and during one of the breakouts, the speaker asked for a show of hands how many have heard of or are using Shodan. So my question is, how i can use Shodan data within Splunk, or more specifically with ES?
I can see three ways:
I think number 2 is the most important. I'm seriously thinking of making that alert action. I'll update this comment if I can get time to do it; I don't think it will take me long.
You will have to interact with shodan's API to pull the information you need and get it into splunk, probably by using a scripted input.
Here's a link to Shodan Developer website for more information: https://developer.shodan.io/