Automate Weekly Shodan IP and Port Monitoring with n8n

Opening Problem Statement

Meet David, a security analyst at a mid-sized company responsible for monitoring the organization’s network for suspicious activity. Every Monday morning, David wastes hours manually pulling lists of IP addresses monitored by his Intrusion Prevention System (IPS), querying Shodan for open ports on each IP, and investigating any unexpected open services that might indicate a security threat. This tedious, repetitive process often leads to delays in detecting vulnerabilities and wastes precious time that could be spent on incident response.

David’s manual tracking also risks human error, such as missing a critical open port or misreporting a service. The company’s incident response is sometimes slow because alerts arrive late due to this manual process, potentially exposing the organization to prolonged security risks.

To enhance security posture and save David precious hours weekly, an automated workflow is needed that can integrate with Shodan’s API, fetch current monitored IPs and ports, scan each IP for open services, detect anomalies, and generate actionable alerts in a security platform.

What This Automation Does

This unique n8n workflow, scheduled to run every Monday, automates how David monitors IP addresses and their open ports through Shodan and integrates findings with TheHive security incident response platform.

• Fetches Watched IPs and Ports: Retrieves the list of IP addresses and ports that need monitoring from an internal system or IPS.
• Queries Shodan for Each IP: Uses Shodan’s API to scan each IP address for current open ports and services.
• Splits and Analyzes Services: Breaks down the data to analyze each service running on the ports individually.
• Filters Unexpected Ports: Detects any open ports that are not expected or watched, highlighting potential security issues.
• Formats Data as Markdown Table: Converts port and service data into an easy-to-read Markdown table for reporting clarity.
• Creates Alerts in TheHive: Automatically generates alerts with detailed descriptions when unexpected open ports are found, enabling rapid incident response.

By automating this process, David saves approximately 3-4 hours each week and reduces missed security alerts, improving his team’s ability to respond swiftly and efficiently.

Prerequisites ⚙️

• n8n automation platform – used to build and run the workflow.
• Shodan API Key 🔑 – needed to query Shodan for IP and port scanning.
• Access to your internal system or database – an endpoint or webhook that provides the current list of IPs and ports monitored.
• TheHive account and API credentials 🔐 – to post security alerts.

Step-by-Step Guide

Step 1: Set Up Schedule Trigger Node

In n8n, start by adding a Schedule Trigger node. Navigate to the node panel, select Schedule Trigger, then configure it to run every Monday at 5 AM. This will kick off the weekly automated scan.

Common Mistake: Forgetting to set the time zone correctly, which can cause the workflow to run at the wrong time.

Step 2: Retrieve Watched IPs and Ports

Add an HTTP Request node named Get watched IPs & Ports. Configure it to perform a GET request to your internal API or webhook URL that returns the list of IPs and monitored ports in JSON format, e.g.:

[
  { "ip": "116.202.106.35", "ports": [5678, 80] },
  { "ip": "188.114.96.9", "ports": [8080, 80] }
]

Expected Outcome: The node fetches structured data to process for each IP.

Common Mistake: Using a URL that doesn’t return the correct JSON format or forgetting authentication if required.

Step 3: Split IPs for Individual Processing

Insert the Split In Batches node labeled For each IP to process each IP address one by one. Set the batch size to 1 to avoid API rate limits and allow detailed analysis per IP.

Step 4: Query Shodan for Open Ports (HTTP Request Node)

Add an HTTP Request node named Scan each IP. Configure it with the URL parameterized to query Shodan’s host API endpoint for each IP, e.g., https://api.shodan.io/shodan/host/{{ $json.ip }}. Authenticate using your Shodan API key available in credentials.

Expected Outcome: Data about the IP’s open ports and services is returned for analysis.

Common Mistake: Missing or invalid API credentials causing authentication errors.

Step 5: Extract Open Services Data

Use the Item Lists node called Split out services to split the array of port service data into individual items so each port service can be inspected separately.

Step 6: Filter Unexpected Ports

Configure a Filter node called Unexpected port? to check if the port from Shodan results is included in the original list of expected ports from the monitored IPs. The condition uses a boolean expression:

= {{ $('For each IP').item.json.ports.includes($json.port) }}

This ensures only unexpected ports (those not in the allowed list) pass through for alert creation.

Step 7: Prepare Data for Reporting

Add a Set node called Set data to post for each port to assemble details about the IP, hostnames, port, description, and service data. This data will be the payload for reporting and alerting.

Step 8: Convert Data to HTML Table

Use the HTML node named Convert to table with the operation set to convertToHtmlTable. This node converts the structured data on ports and services into an HTML table for clear presentation.

Step 9: Convert HTML to Markdown

Add a Markdown node titled Convert to Markdown. Input the HTML table and configure it to produce a Markdown version of the table, facilitating easy readability in alerts and reports.

Step 10: Create Alerts in TheHive

Add a TheHive node named Create TheHive alert. Configure it with your TheHive API credentials and set it to post detailed alert information about unexpected open ports, including the Markdown table and related IP details.

Expected Outcome: Security analysts receive standardized alerts to investigate promptly.

Step 11: Loop Back for Complete Processing

The workflow loops back to the For each IP node to continue processing all IP addresses in the list one after another, ensuring comprehensive scanning.

Customizations ✏️

• Change Trigger Frequency: In the Schedule Trigger node, adjust the interval to daily or monthly scans depending on your organizational needs.
• Add Additional Data Filtering: Extend the Unexpected port? filter node to also check service descriptions or banners for suspicious keywords.
• Integrate with Slack or Email: After the Create TheHive alert node, add a Slack or Gmail node to notify security teams instantly.
• Enhance Error Handling: Add error handling nodes after HTTP requests to log connection issues or API rate limits to a monitoring dashboard.
• Expand Data Sources: Modify the Get watched IPs & Ports node to pull from multiple API endpoints or databases for more comprehensive coverage.

Troubleshooting 🔧

Problem: API authentication failed for Shodan requests

Cause: Incorrect or missing Shodan API key credentials.

Solution: Go to the Credential section in n8n, ensure your Shodan API key is correctly entered, linked to the HTTP Request node, and active.

Problem: “Unexpected port?” filter node does not filter correctly

Cause: The boolean expression referencing ports array is syntactically incorrect or referencing wrong node outputs.

Solution: Review the filter condition expression = {{ $('For each IP').item.json.ports.includes($json.port) }} and test with debug data to confirm it correctly matches allowed ports.

Problem: TheHive alert not creating or no alert visible

Cause: Incorrect TheHive API credentials or improper field mapping in the node.

Solution: Verify TheHive credential setup in n8n, test connection manually, and ensure the alert fields like title, description, and tags are properly populated.

Pre-Production Checklist ✅

• Test the internal IP list API to verify correct JSON structure and data format.
• Ensure Shodan API key is active and has quota to support the scan volume.
• Validate TheHive credential for proper permissions to create alerts.
• Run workflow manually once with reduced IP set to observe responses and data outputs at each stage.
• Check for any API rate limit errors or node execution errors and fix before scheduling.

Deployment Guide

Once fully tested, activate the workflow in n8n. This ensures it runs automatically every Monday at 5 AM without manual intervention.

Monitor the workflow’s execution logs from n8n to confirm success or identify issues. Alert notifications in TheHive help keep security teams informed in real time.

If desired, customize the workflow to also send alerts via Slack or email for more visibility.

FAQs

• Can I use another threat intelligence platform instead of Shodan? Yes, but adaptations would be needed to change the HTTP Request node to the alternative API format.
• Does this workflow consume a lot of API credits? API consumption is proportional to the number of IPs scanned. Batched processing and scheduled intervals help control usage.
• Is the data sent to TheHive secure? Communication uses API tokens and HTTPS, ensuring data protection in transit.
• Can I monitor more IPs? Yes. Adjust the list source and batch size to fit your scaling needs.

Conclusion

By implementing this n8n workflow, David and security teams automate the crucial task of monitoring IP addresses and ports for unexpected open services using Shodan. This automation saves hours of manual work each week, ensures timely detection of potential threats, and integrates smoothly with TheHive for incident response readiness.

Next, consider extending the workflow by integrating additional alert channels or enriching data with vulnerability scanning results to further strengthen your security operations.

With this workflow, security monitoring becomes consistent, efficient, and proactive—just what a busy security analyst needs.