n8n templatesn8n templates

Weekly Shodan Query Report Accidents no function node

This workflow automatically monitors IP addresses and their ports within the enterprise's internal systems on a weekly basis. It utilizes the Shodan API to scan for open ports and services, promptly identifying any unexpected abnormal ports. The information is organized into a Markdown format report, which is then pushed to TheHive platform for quick response. Its core advantages lie in enhancing monitoring efficiency, reducing human oversight, ensuring network security, and helping the security team stay informed about potential risks, thereby building an efficient security protection system.

Workflow Diagram
Weekly_Shodan_Query___Report_Accidents__no_function_node_ Workflow diagram

Workflow Name

Weekly_Shodan_Query___Report_Accidents__no_function_node_

Key Features and Highlights

This workflow automatically retrieves the list of IP addresses and their respective ports to be monitored from an internal system. It leverages the Shodan API to scan each IP, identifying open ports and running services. Unexpected ports are automatically filtered out, and the anomalous port information is compiled into a Markdown-formatted table. Finally, security alerts are generated and pushed to TheHive security incident response platform, enabling automated detection and rapid response to port anomalies.

Core Problems Addressed

Manual monitoring of IP ports and services is inefficient, prone to omissions, and slow to respond. This workflow automates scanning and comparison processes, helping security teams promptly detect abnormal open ports within the network, thereby preventing potential security risks and intrusions. It significantly enhances the speed of security incident detection and response capabilities.

Application Scenarios

  • Port monitoring and anomaly detection of critical assets by Enterprise Security Operations Centers (SecOps)
  • Network security audits and periodic exposure surface reviews
  • Automated triggering of security incidents and alerting systems
  • Integration with security incident management platforms (e.g., TheHive) for security automation workflows

Main Workflow Steps

  1. Scheduled Trigger: The workflow is initiated automatically every Monday on a fixed schedule.
  2. Retrieve Monitored IPs and Ports: Calls an internal system’s webhook API to obtain the list of IP addresses and their monitored ports.
  3. Batch Processing of IPs: Processes each IP address sequentially to avoid API call overload.
  4. Invoke Shodan API Scan: Queries each IP for open ports and running service information.
  5. Service List Splitting: Breaks down each port’s service details from the scan results into individual entries.
  6. Filter Anomalous Ports: Determines whether ports are expected; filters out unexpected open ports.
  7. Data Organization: Structures anomalous port information (IP, port, hostname, description, etc.) for output.
  8. Format Conversion: Converts the data into an HTML table, then transforms it into Markdown format for easy reading and reporting.
  9. Security Alert Creation: Pushes the anomalous port information as alerts to TheHive platform for security personnel to follow up and handle.

Involved Systems and Services

  • Shodan: Internet-connected device search engine used to query open ports and service information of IPs.
  • Internal Webhook API: Provides the list of IPs and ports to be monitored.
  • TheHive: Open-source security incident response and case management platform used to receive and manage security alerts.
  • n8n Automation Platform: Supports workflow scheduling, HTTP requests, data processing, format conversion, and integration for alert pushing.

Target Users and Value

  • Security Operations Teams: Reduce manual inspection workload and improve risk detection efficiency through automation.
  • Network Administrators: Gain real-time visibility into network port status and promptly identify misconfigurations.
  • Security Analysts and Response Teams: Receive structured anomalous port alerts for rapid threat response.
  • Enterprises and Organizations: Ensure the security of critical assets, reduce potential attack surfaces, and enhance overall network security situational awareness.

This workflow realizes continuous monitoring and alerting of network port anomalies through automation and integration, helping teams build an efficient and scalable security defense system.