Shodan
Important
Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Shodan is a search engine that allows users to find specific types of devices connected to the internet using various filters. It provides a global view of how certain devices are connected and can be used to discover which devices are connected to the internet, where they're located, and who is using them. You can use the Shodan plugins with Microsoft Copilot for Security to get enhanced visibility of their internet-facing assets and better detect threats and vulnerabilities.
If you do not have a Shodan membership and/or account, you can use the "Shodan InternetDB" plugin to retrieve IP information of open ports, hostnames, open ports, vulnerabilities. If you have a Shodan membership, you can use the "Shodan" plugin with your API key to get access to advanced capabilities that you're subscribed to.
Set up the Shodan plugin
Integration with Copilot for Security requires a Shodan membership and an API Key.
Get your Shodan API key. If you don't have one yet, follow these steps:
Go to your Shodan portal and sign in.
Select Account, and on the Account Overview tab, next to API Key, select Show.
Copy your API key.
Sign in to Microsoft Copilot for Security.
Access Manage Plugins by selecting the Plugin button from the prompt bar.
Next to Shodan, select the toggle to enable it.
In the Shodan Plugin settings pane, in the Value field, paste your API key.
Save your changes.
Use the Shodan plugin
After the Shodan plugin is configured, you can use it by typing Shodan in your Copilot for Security prompt bar.
The following table lists skills and example prompts to try:
| Skill | Example prompts |
|---|---|
Check Shodan InternetDB IP address(uses Shodan Internet DB Plugin) Ask Shodan InternetDB about an IP address Required: - ip |
Use the Shodan InternetDB database to provide info on "118.25.6.39"Check IP address "118.25.6.39" using Shodan InternetDB database |
CheckShodanHostIP(requires a Shodan membership) Accepts an IP address (v4 or v6) and provides information about the queried IP, including related country, last updated dates, hostnames, and ISP. Required: - ipOptional: - history- minify |
Check IP Address 8.8.8.8 using Shodan Use Shodan to check IP address 8.8.8.8 What does Shodan say about IP address 8.8.8.8? |
GetShodanHostCountBehaves like GetShodanHostSearch, except that it doesn't return any host results; instead, it returns the total number of results that matched the query and any facet information that was requested. This method doesn't consume query credits.Required: - queryOptional - facets |
What does Shodan know about the host count for port:22?Use Shodan to look up the host count for port:22 |
GetShodanHostSearch(requires a Shodan membership) Searches Shodan using the same query syntax as the website and uses facets to get summary information for different properties. This method might use API query credits depending on usage. If any of the following criteria are met, your account is deducted one query credit: - The search query contains a filter. - Accessing results past the first page using the page. For every 100 results past the first page, one query credit is deducted. Required: - queryOptional: - facets |
Search for hosts running port:22 using Shodan. Use Shodan to look up the hosts running port:22. |
GetShodanHostSearchFacetsReturns a list of facets that can be used to get a breakdown of the top values for a property. |
List all search facets from Shodan records. What are all the Shodan search facets? |
GetShodanHostSearchFiltersReturns a list of search filters that can be used in the search query. |
List all filters that can be used when searching Shodan records.What are the Shodan search filters? |
GetShodanHostSearchTokensEnables you to determine which filters are being used by the query string and what parameters were provided to the filters. Required: - query |
Use Shodan to break down Raspbian port:22 into tokens.Get the Shodan host search tokens for Raspbian port:22. |
GetShodanPortsReturns a list of port numbers that the crawlers are looking for. |
List all ports that Shodan is crawling on the Internet.Get all Shodan ports. |
GetShodanProtocols Returns an object containing all the protocols that can be used when launching an Internet scan. |
List all protocols that can be used when performing on-demand Internet scans via Shodan.What protocols can be used with Shodan? |
GetShodanScans(requires a Shodan membership) Returns a list of all the on-demand scans that are currently active on the account. |
Get list of all the created scans via Shodan.What are all the scans created by Shodan? |
GetShodanScansID(requires a Shodan membership) Checks the progress of a previously submitted scan request. Possible values for the status are: - SUBMITTING- QUEUE- PROCESSING- DONERequired: - id |
Get the status of the scan request DQdcm6QYgENbGj0R using Shodan.What does Shodan say about the scan request DQdcm6QYgENbGj0R? |
GetShodanAlertIDInfo(requires a Shodan membership) Returns information about a specific network alert. Required: - id |
Get the details for the network alert 0DC55K0N2HHZS3D1 using Shodan.What does Shodan say about the network alert 0DC55K0N2HHZS3D1? |
GetShodanAlertsInfo(requires a Shodan membership) Returns a list of all the network alerts that are currently active on the account. |
Get a list created alerts using Shodan.What are all the created alerts in Shodan? |
GetShodanAlertTriggersReturns a list of all the triggers that can be enabled on network alerts. |
Get a list of available triggers using Shodan.What are all the available triggers in Shodan? |