This workflow template facilitates threat intelligence enrichment by receiving an IP address from a parent workflow and querying Shodan for detailed information. It optimizes performance by first checking for cached responses from the last 24 hours. If the IP reputation is present in the cache, it returns the saved data; otherwise, it executes a Shodan search and stores the fresh results for future inquiries. It's designed to help security teams rapidly assess the threat level of an IP address while efficiently managing API call volumes.
Optional Triggers
"This workflows is intended to be used as a function."
Use Cases
Function, Threat Intelligence Enrichment
Workflow Breakdown
Receives an IP Address as input.
Lookup global variables for cached responses in the past 24 hours.
If reputation is found on local cache, the saved data is returned to the parent workflow.
When no reputation is found in cache, a summary of the analysis data is created and saved with the original api data.
Vendors
Utils, Shodan, Torq
Workflow Output
Returns full analysis data and a summary of the information.
Tips
Set \"Provide Raw Data Analysis\" to true or false to add or remove original vendor information to the output