Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mikoiv/MicrosoftSentinel-ShodanMonitor

Ingesting Shodan Monitor Alerts to Microsoft Sentinel
https://github.com/mikoiv/MicrosoftSentinel-ShodanMonitor

Last synced: about 1 month ago
JSON representation

Ingesting Shodan Monitor Alerts to Microsoft Sentinel

Awesome Lists containing this project

README

        

# MicrosoftSentinel-ShodanMonitor

## Introduction

Shodan Monitor is a service for Shodan subscribers that can detect the following issues in publicly available networks and hosts:
* Services associated with ICS or IoT devices
* Compromised or malware-related services
* New open ports, uncommon open ports
* Open databases
* Known vulnerabilities
* Expired certificates

In brief it provides a service for managing public attack surface, usually for your own assets.

This repository contains an Azure Logic App for ingesting Shodan Monitor alerts for querying, alerting and hunting in Microsoft Sentinel:

[![Log query](https://github.com/mikoiv/MicrosoftSentinel-ShodanMonitor/blob/main/Images/sentinel-logquery.png)](https://github.com/mikoiv/MicrosoftSentinel-ShodanMonitor/blob/main/Images/sentinel-logquery.png)

For further details and instructions you can read the following writeup:

**https://secopslab.substack.com/p/shodan-monitor-alerts-to-microsoft**

## Deployment

[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmikoiv%2FMicrosoftSentinel-ShodanMonitor%2Fmain%2Fazuredeploy.json)

## Parameters

When deploying the template you have the following parameters to configure:

| Parameter | Description |
| ------------- | ------------- |
| **Resource Group** | Resource group for deployed resources |
| **Region**| Azure region for deployed resources |
| **Playbook Name** | Logic App name (default: ShodanMonitor-Sentinel) |
| **Log Analytics Connection Name** | API connection name (default: loganalyticsconnection-ShodanMonitor-Sentinel)|
| **Log Analytics Workspace ID**|Enter the unique ID of your Azure Log Analytics workspace|
| **Log Analytics Workspace Key**|Enter the primary or secondary key of your Azure Log Analytics workspace|

The URL you need to provide Shodan Monitor can be found from the Logic App HTTP trigger, after deployment.