Shodan Monitor is a service for Shodan subscribers that can detect the following issues in publicly available networks and hosts:
- Services associated with ICS or IoT devices
- Compromised or malware-related services
- New open ports, uncommon open ports
- Open databases
- Known vulnerabilities
- Expired certificates
In brief it provides a service for managing public attack surface, usually for your own assets.
This repository contains an Azure Logic App for ingesting Shodan Monitor alerts for querying, alerting and hunting in Microsoft Sentinel:
For further details and instructions you can read the following writeup:
https://secopslab.substack.com/p/shodan-monitor-alerts-to-microsoft
When deploying the template you have the following parameters to configure:
| Parameter | Description |
|---|---|
| Resource Group | Resource group for deployed resources |
| Region | Azure region for deployed resources |
| Playbook Name | Logic App name (default: ShodanMonitor-Sentinel) |
| Log Analytics Connection Name | API connection name (default: loganalyticsconnection-ShodanMonitor-Sentinel) |
| Log Analytics Workspace ID | Enter the unique ID of your Azure Log Analytics workspace |
| Log Analytics Workspace Key | Enter the primary or secondary key of your Azure Log Analytics workspace |
The URL you need to provide Shodan Monitor can be found from the Logic App HTTP trigger, after deployment.