User Guide

Synapse-Shodan User Guide

Synapse-Shodan adds new Storm commands to allow you to query the Shodan API using your existing API key.

Getting Started

Check with your Global Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> shodan.setup.apikey --self myapikey
Setting Shodan API key for the current user.

Use shodan.search command to populate inet:flow nodes

You may use the shodan.search command to populate inet:flow nodes using Shodan search syntax. In the following example, we will populate up to 10 inet:flow nodes based on the search string Microtik:

> shodan.search --yield --size 2 Microtik
inet:flow=4c3eccf0f242b7fe8616f6f98482c5a2
        .created = 2025/11/03 19:43:59.727
        :dst = tcp://43.241.140.3:1723
        :dst:handshake = Firmware: 1
                         Hostname: Bhachau Microtik Server
                         Vendor: MikroTik
        :dst:ipv4 = 43.241.140.3
        :dst:port = 1723
        :dst:proto = tcp
        :time = 2021/08/19 05:31:26.780
        #rep.shodan.vpn
inet:flow=3455f780b8ac7bf61713733c15505adc
        .created = 2025/11/03 19:43:59.739
        :dst = tcp://84.47.142.34:1723
        :dst:handshake = Firmware: 1
                         Hostname: microtik
                         Vendor: MikroTik
        :dst:ipv4 = 84.47.142.34
        :dst:port = 1723
        :dst:proto = tcp
        :time = 2021/08/19 05:13:27.977
        #rep.shodan.vpn

This will also populate an it:exec:query node to represent the search query syntax:

> it:exec:query:text=Microtik +:language=shodan
it:exec:query=b7f65a04213e87f308affda79e637959
        .created = 2025/11/03 19:43:59.716
        :api:url = https://api.shodan.io/shodan/host/search
        :language = shodan
        :synuser = root
        :text = Microtik
        :time = 2025/11/03 19:43:59.690

The it:exec:query node will also be linked to the resulting inet:flow nodes via -(found)> light-weight edges:

> it:exec:query:text=Microtik +:language=shodan -(found)> inet:flow
inet:flow=4c3eccf0f242b7fe8616f6f98482c5a2
        .created = 2025/11/03 19:43:59.727
        :dst = tcp://43.241.140.3:1723
        :dst:handshake = Firmware: 1
                         Hostname: Bhachau Microtik Server
                         Vendor: MikroTik
        :dst:ipv4 = 43.241.140.3
        :dst:port = 1723
        :dst:proto = tcp
        :time = 2021/08/19 05:31:26.780
        #rep.shodan.vpn
inet:flow=3455f780b8ac7bf61713733c15505adc
        .created = 2025/11/03 19:43:59.739
        :dst = tcp://84.47.142.34:1723
        :dst:handshake = Firmware: 1
                         Hostname: microtik
                         Vendor: MikroTik
        :dst:ipv4 = 84.47.142.34
        :dst:port = 1723
        :dst:proto = tcp
        :time = 2021/08/19 05:13:27.977
        #rep.shodan.vpn

For query syntax details, see the Shodan Help Center.

Use of meta:source nodes

Synapse-Shodan uses a meta:source node and -(seen)> light weight edges to track nodes observed from the Shodan API.

> meta:source=2cb67376db10f495740634c682b98e81
meta:source=2cb67376db10f495740634c682b98e81
        .created = 2025/11/03 19:43:59.689
        :name = synapse-shodan

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-Shodan. The following example shows how to filter the results of a query to include only results observed by Synapse-Shodan:

> #cool.tag.lift +{ <(seen)- meta:source=2cb67376db10f495740634c682b98e81 }