Weekly_Shodan_Query___Report_Accidents__no_function_node_

This workflow is ideal for:

• Network Security Analysts: To monitor and identify unexpected open ports in their network.
• IT Security Teams: To automate the process of checking IP addresses and ports for vulnerabilities.
• System Administrators: To ensure that only authorized services are running on their servers.
• Incident Response Teams: To quickly respond to security alerts generated by unexpected open ports.

This workflow addresses the challenge of monitoring network integrity by automating the detection of unexpected open ports on monitored IP addresses. It provides a systematic approach to identify potential security risks, ensuring that organizations can respond proactively to threats. By integrating with Shodan, it leverages real-time data to enhance network security.

1. Scheduled Trigger: The workflow initiates every Monday at 5 AM to ensure regular monitoring.
2. Get Watched IPs & Ports: It fetches a list of IP addresses and their associated ports from a security system, expecting data in a specific JSON format.
3. Iterate Through IP Addresses: The workflow processes each IP address one at a time to maintain focus and performance.
4. Scan Each IP: For each IP, it queries the Shodan API to retrieve details about the services running on the specified ports.
5. Split Out Services: The response is parsed to extract the services for further analysis.
6. Check for Unexpected Ports: A filter checks if the ports returned are expected; if not, the workflow proceeds to set data for reporting.
7. Prepare Data for Markdown Table: Information about the IP, hostnames, port, and description is formatted for reporting.
8. Convert to HTML Table: The data is converted into an HTML table format for better visualization.
9. Convert to Markdown: The HTML table is then transformed into a Markdown format for easy integration into reports.
10. Create Alert in TheHive: If unexpected open ports are found, an alert is created in TheHive for incident management.