Shodan

Enterprise

runZero integrates with Shodan by importing data from the Shodan API. This integration allows you to sync data about your externally-facing assets and services from Shodan to provide better visibility of your internet footprint and cyber hygiene.

How runZero maps Shodan devices to assets:

  • For Shodan devices that can be matched to an existing runZero asset, asset-level attributes will be updated, and Shodan-specific attributes will be added.

  • For hosts that cannot be matched with an existing runZero asset, a new asset will be created in the site specified when the integration task is set up.

runZero is able to merge existing assets with Shodan data when the IP address or hostname overlaps. Shodan devices can also be manually merged into runZero assets using the Merge button on the Asset Inventory page.

Getting started

To set up the Shodan integration, you’ll need to:

  1. Add the Shodan API key in runZero.
  2. Activate the Shodan connection to sync your data with runZero.

Requirements

Before you can set up the Shodan integration:

  • Verify that you have runZero Enterprise.
  • Make sure you have a Shodan account with the correct license to meet your needs.

Step 1: Add the Shodan credential to runZero

  1. Go to the new credential page in runZero. Provide a name for the credential, like Shodan.
  2. Choose Shodan Search API key from the list of credential types.
  3. Provide your Shodan Search API key - To view your API key, go to your Account page in the Shodan portal. Your API key is available on that page and can be reset if needed.
  4. If you want other organizations to be able to use this credential, select the Make this a global credential option. Otherwise, you can configure access on a per-organization basis.
  5. Save the credential. You’re now ready to set up and activate the connection to bring in data from Shodan.

Step 2: Set up and activate the Shodan connection to sync data

After you add your Shodan credential, you’ll need to set up a connection to sync your data from Shodan. A connection requires you to set a schedule and choose a site. The schedule determines when the sync occurs, and the site determines where any new Shodan-only assets are created.

  1. Activate a connection to Shodan. You can access all available third-party connections from your inventory or tasks page.
  2. Choose the credential you added earlier. If you don’t see the credential listed, make sure the credential has access to the organization you are currently in.
  3. Enter a name for the task, like Shodan sync.
  4. Schedule the sync. A sync can be set to run on a recurring schedule or run once. The schedule will start at the date and time you have set.
  5. Under Task configuration, choose the site you want to add your assets to.
  6. Activate the connection when you are done. The sync will run on the defined schedule. You can always check the tasks page to see when the next sync will occur.

Step 3: View Shodan assets and services

After a successful sync, you can go to your inventory to view your Shodan assets. These assets will have a Shodan icon listed in the Source column.

The Shodan integration gathers details about services in addition to enriching asset inventory data. Go to Inventory > Services to view the service data provided by Shodan.

To filter by Shodan assets or services, consider running the following queries:

Click into each asset or service to see its individual attributes. runZero will show you the attributes returned by the Shodan Search API.