Shodan® is a search engine for Internet-connected devices that analyzes service banner information from connected devices all around the globe. Service banners include information about a computer system, such as host name, device type, operating system, geographic location, and connected ISP. When integrated with ServiceNow Security Operations, this service banner information provides additional enrichment data and insight for security incidents or investigations.
- Automatic enrichment lookups are run on selected observables upon incident creation.
- After the application is configured, the workflow launches automatically, and Shodan lookup execution and completion status are recorded in work notes.
- Observables can be looked up manually by adding them to the Security Incident form and launching workflows.
- Results are displayed in the Network Banners and Observable Enrichment tabs under Related Links.
Changed:
- Migrated Enrichment workflow to subflow.
Plugins:
The following plugin for Threat Intelligence must be installed and activated:
- com.snc.threat.intelligence plugin for Threat Intelligence
The following Security Incident Response plugins must be installed and activated:
- com.snc.security_support.common
- com.snc.security_incident
- com.snc.intel_sharing.client
- com.snc.secops.orchestration
- com.snc.threat
Permissions and roles
- Role required: System Admin (admin) or Security Admin (sn_si.admin)
Workflow
The security operations integrations capabilities framework, used with the Shodan integration, provides a high-level workflow independent from the integration vendor. The workflow performs enrichment on selected observables, specifically IP addresses, URLs and file hashes. The application checks for new observables every five minutes. If the observables are of a type recognized by the Shodan API Integration, the observables are enriched.
Components created by the application
List of script includes:
- ShodanConfiguration
- ShodanIntegration
List of newly defined tables:
- Network Banner
- Location
List of modules:
- Network Banner
The scope(s) used:
- sn_sec_shodan