Synchronize with Shodan to Get Attack Surface Visibility
Integration with third-party sources like Shodan.io gives an outside-in view to find assets exposed to the internet, tagging known ‘managed’ assets, identifying unknown assets, and enabling security risk assessment.
With this capability, you can:
- Pull customer-specific public data from Shodan
- Display it in the Asset Inventory and Asset Details
- Create Unmanaged Assets to track newly identified endpoints
- Enable contextual queries
- test content to be deleted
Important to Know!
- The Shodan activation is not supported for new users with a trial or paid subscription. Hence, the Assets Visible on Shodan tile is no longer shown on the Home Page. Instead, the External Attack Surface tile is shown.
Qualys CyberSecurity Asset Management (CSAM) provides comprehensive visibility in the form of External Attack Surface Management (EASM).
- The existing users who activated and configured Shodan can continue using it.
How to Import Assets from Shodan?
If Shodan is activated, configure filters to import assets from Shodan to your inventory. Click the Configure Shodan link on the Assets visible on Shodan card to view the Manage Shodan Configuration pop-up.
How the filter criteria works in the configuration?
AND Operator: "Type" and "Filter" criteria is different for multiple rows. For example, first two rows shown in the above screenshot (Include 'Org'='Qulays' AND 'Country'='US')
OR Operator: "Type" and "Filter" criteria is same for multiple rows. For example, last three rows shown in the above screenshot (Include 'Country'='US' OR 'Country'='IN' OR 'Country'='CA')
Combination of AND + OR Operator: "Type" and "Filter" criteria is same as well as different for multiple rows. For example, consider entire table in which first two rows shown in the above screenshot are different while last three rows shown in the above screenshot are same (Include 'Org'='Qualys' AND 'Country'='US' OR 'Country'='IN' OR 'Country'='CA') .
Filter Type: Include or Exclude
Filters:
| Filter | Attributes in Shodan | Description | Examples |
| Org | Organization | Name of the organization that owns the IP space | Google LLC |
| Domain | Hostname | Domain of the Shodan assets | google.com |
| Cert | ssl.cert.subject.cn | Certificate | cadz02.canadadz.com |
| IP | IP | Alias for net filter string | 34.120.218.237 |
| City | City | Name of the city | Kansas City |
| Country | Country | 2-letter country code | US (Country code for USA) |
Once you have added/updated proper filter criteria, click Validate and Save to import assets in your inventory. Once you validate and save your filter, your sync will start within couple of hours. This sync automatically repeats after every 2 days. Once assets are imported, you'll see it on Home and Inventory tab.
Managed Assets: Assets imported from Shodan which are already available in your inventory (detected through other Qualys inventory sources). These assets will be displayed with 'Shodan' tag. For the managed assets, the source will be the Qualys inventory sources detected.
Unmanaged Assets: Assets imported from Shodan only. These assets will be displayed with 'Shodan' and 'Unmanaged' tag. Source for these assets will be 'SHODAN' in the inventory list.
Note: If your asset is listed under the 'Unmanaged' category (discovered from Shodan) and if the same asset is later discovered from Qualys inventory sources (QAGENT, GCP, etc), after the next Shodan sync scan:
- The 'Unmanaged' asset will be moved to the 'Managed' category.
- The asset listed under 'Managed' category will be tagged with 'Shodan'