Integration with third-party sources like Shodan.io gives an outside-in view to find assets exposed to the internet, tagging known ‘managed’ assets, identifying unknown assets, and enabling security risk assessment.
With this capability, you can:
- Pull customer-specific public data from Shodan
- Display it in the Asset Inventory and Asset Details
- Create Unmanaged Assets to track newly identified endpoints
- Enable contextual queries
Following are the steps to activate Shodan for your subscription:
1) From the Home tab, navigate to Discover and Inventory > Expand your Inventory > Integrate with External Sources to view the Assets visible on Shodan card.
2) On the Assets visible on Shodan card, click Request Shodan.
3) Next, read the terms and conditions and click I Accept.
4) You will receive an email requesting approval to activate Shodan for your subscription. Respond to the email with your approval.
Note: Alternatively, to approve the activation, log into your subscription, click Help > Contact Support, and under the Cases tab, find the case number mentioned in your email.
You’ll see this screen until Shodan is activated.
5) Once Shodan is activated for your subscription, you can configure Shodan to import assets.
If you're Federal user, contact Qualys Support to activate shodan.
Once Shodan is activated for Federal users, you can configure Shodan to import assets.
Once Shodan is activated, configure filters to import assets from Shodan to your inventory. Click the Configure Shodan link on the Assets visible on Shodan card to view the Manage Shodan Configuration pop-up.
How the filter criteria works in the configuration?
AND Operator: "Type" and "Filter" criteria is different for multiple rows. For example, first two rows shown in the above screenshot (Include 'Org'='Qulays' AND 'Country'='US')
OR Operator: "Type" and "Filter" criteria is same for multiple rows. For example, last three rows shown in the above screenshot (Include 'Country'='US' OR 'Country'='IN' OR 'Country'='CA')
Combination of AND + OR Operator: "Type" and "Filter" criteria is same as well as different for multiple rows. For example, consider entire table in which first two rows shown in the above screenshot are different while last three rows shown in the above screenshot are same (Include 'Org'='Qualys' AND 'Country'='US' OR 'Country'='IN' OR 'Country'='CA') .
Filter Type: Include or Exclude
Filters:
Filter | Attributes in Shodan | Description | Examples |
Org | Organization | Name of the organization that owns the IP space | Google LLC |
Domain | Hostname | Domain of the Shodan assets | google.com |
Cert | ssl.cert.subject.cn | Certificate | cadz02.canadadz.com |
IP | IP | Alias for net filter string | 34.120.218.237 |
City | City | Name of the city | Kansas City |
Country | Country | 2-letter country code | US (Country code for USA) |
Once you have added/updated proper filter criteria, click Validate and Save to import assets in your inventory. Once you validate and save your filter, your sync will start within couple of hours. This sync automatically repeats after every 2 days. Once assets are imported, you'll see it on Home and Inventory tab.
Managed Assets: Assets imported from Shodan which are already available in your inventory (detected through other Qualys inventory sources). These assets will be displayed with 'Shodan' tag. For the managed assets, source will be the Qualys inventory sources detected.
Unmanaged Assets: Assets imported from Shodan only. These assets will be displayed with 'Shodan' and 'Unmanaged' tag. Source for these assets will be 'SHODAN' in the inventory list.
- If your asset is listed under the 'Unmanaged' category (discovered from Shodan) and if the same asset is later discovered from Qualys inventory sources (QAGENT, GCP, etc), after the next Shodan sync scan -
- The 'Unmanaged' asset will be moved to the 'Managed' category
- Asset listed under 'Managed' category will be tagged with 'Shodan'