Shodan Integration

Has anyone managed to get Shodan.io alerts into Elastic SIEM? I'm trying to use kubi-ecs-logger logging library and the shodan python api to send ECS alerts and wondered if anyone is interested in collaborating?

H

Ok I've figured out a crude implementation, in summary :

  • Setup shodan to monitor for new_services / unknown
  • run the shodan cli shodan stream --alert=all --compresslevel 0 --datadir=/local
  • run a filebeat prospector with the following config
filebeat.inputs:
- type: log
  paths:
    - "/local/*"
  json.add_error_key: true
  fields_under_root: true
  fields:
    event:
      type: "change"
      kind: "alert"
      module: "shodan"
      category: "network"

TODO

  • fields are not yet mapped to the Elastic Common Schema - a python script needs to be written to poll the API and map shodan fields to ECS

Here is the result :

1 Like

Hi hilt86,

Woa, that is really cool! You should put what you have on a github project and make it into a python package for people to collaborate on?

With just what you have above, you should be able to create signals from it at this point. But enriching the data by transforming what makes sense into ECS will make it even more useful.

Yeah that would be cool - is there a python lib for ECS that would make this easier?