Synchronize with Shodan to Get Attack Surface Visibility

Integration with third-party sources like Shodan.io gives an outside-in view to find assets exposed to the internet, tagging known ‘managed’ assets, identifying unknown assets, and enabling security risk assessment.

With this capability, you can:

- Pull customer-specific public data from Shodan

- Display it in the Asset Inventory and Asset Details

- Create Unmanaged Assets to track newly identified endpoints

- Enable contextual queries

How to activate Shodan?

Following are the steps to activate Shodan for your subscription:

1) From the Home tab, navigate to Discover and Inventory > Expand your Inventory > Integrate with External Sources to view the Assets visible on Shodan card.

Shodan Activation

2) On the Assets visible on Shodan card, click Request Shodan.

3) Next, read the terms and conditions and click I Accept.

Shodan Terms and Conditions

4) You will receive an email requesting approval to activate Shodan for your subscription. Respond to the email with your approval.

Note: Alternatively, to approve the activation, log into your subscription, click Help > Contact Support, and under the Cases tab, find the case number mentioned in your email.

In progress

You’ll see this screen until Shodan is activated.

5) Once Shodan is activated for your subscription, you can configure Shodan to import assets.

Success

How to activate Shodan for Federal users

If you're Federal user, contact Qualys Support to activate shodan.

Once Shodan is activated for Federal users, you can configure Shodan to import assets.

How to import assets from Shodan?

Once Shodan is activated, configure filters to import assets from Shodan to your inventory. Click the Configure Shodan link on the Assets visible on Shodan card to view the Manage Shodan Configuration pop-up.

Shodan Configuration

How the filter criteria works in the configuration?

AND Operator: "Type" and "Filter" criteria is different for multiple rows. For example, first two rows shown in the above screenshot (Include 'Org'='Qulays' AND 'Country'='US')

OR Operator: "Type" and "Filter" criteria is same for multiple rows. For example, last three rows shown in the above screenshot (Include 'Country'='US' OR 'Country'='IN' OR 'Country'='CA')

Combination of AND + OR Operator: "Type" and "Filter" criteria is same as well as different for multiple rows. For example, consider entire table in which first two rows shown in the above screenshot are different while last three rows shown in the above screenshot are same  (Include 'Org'='Qualys' AND 'Country'='US' OR 'Country'='IN' OR 'Country'='CA') .

Filter Type: Include or Exclude

Filters:

Filter Attributes in Shodan Description Examples
Org Organization Name of the organization that owns the IP space Google LLC
Domain Hostname Domain of the Shodan assets google.com
Cert ssl.cert.subject.cn Certificate cadz02.canadadz.com
IP IP Alias for net filter string 34.120.218.237
City City Name of the city Kansas City
Country Country 2-letter country code US (Country code for USA)

 

Once you have added/updated proper filter criteria, click Validate and Save to import assets in your inventory. Once you validate and save your filter, your sync will start within couple of hours. This sync automatically repeats after every 2 days. Once assets are imported, you'll see it on Home and Inventory tab.

Shodan Assets

Managed Assets: Assets imported from Shodan which are already available in your inventory (detected through other Qualys inventory sources). These assets will be displayed with 'Shodan' tag. For the managed assets, source will be the Qualys inventory sources detected.

Managed Shodan Assets

Unmanaged Assets: Assets imported from Shodan only. These assets will be displayed with 'Shodan' and 'Unmanaged' tag. Source for these assets will be 'SHODAN' in the inventory list.

Unmanaged Shodan Assets

Good to know!

- If your asset is listed under the 'Unmanaged' category (discovered from Shodan) and if the same asset is later discovered from Qualys inventory sources (QAGENT, GCP, etc), after the next Shodan sync scan -

- The 'Unmanaged' asset will be moved to the 'Managed' category

- Asset listed under 'Managed' category will be tagged with 'Shodan'