Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time
  API connector for Phantom

This App for Phantom security orchestrator provides access to information from

Suggested Use-Cases

This app can be used to check whether or not a given IP address is listening given ports. This allows us to gain information that is: credible, publicly accessible, and does not require a single packet to be sent to the target IP address.

For Example:

  • For alerts about an inbound connection, phantom can validate whether or not the service is publicly accessible.
  • For alerts regarding outbound connections (irc, smtp, ntp, etc.) this can be used to verify whether or not the host is hosting that service and what service is listening on that port.
  • Perform reconnaissance on internet hosts

Current Actions

  • query ip - Query shodan for observed services for a given IP
  • query domain - Query shodan for observed services for a given fqdn

Future Features

Currently, this app performs a lookup against a domain or ip address for open ports and services.

Future areas of expansion include:

  • Implement more specific checks to look for specific IP and Port
  • Implement checks to support IP ranges / CIDR blocks
  • Triggering on-demand scan for paid developer accounts
  • DNS forward and reverse resolution
  • Implement widgets (Webpage Thumbnails, etc.)


  1. Download a Phantom appliance from Phantom Cyber.
  2. Select "Import App" from the Administration / Apps tab.
    • Select the shodan.tgz file
    • Check "Replace an Existing app" if an older version is installed
  3. Obtain an API key from A free API key can be obtained from the website by registering and visiting your account page
  4. Configure the Shodan asset.
    • Product Vendor = ""
    • Product Name = ""
    • Set the "Shodan API Key" field in the phantom "Asset Settings" tab
  5. Configure the api_key in the json files located in the test_json directory (for CLI debugging)


About connector for Phantom Cyber Security Orchestration







No releases published


No packages published