Automate Weekly Shodan IP and Port Monitoring with n8n

What this workflow does

This workflow runs every Monday to watch IP addresses and their open ports. It checks if any new, unexpected ports are open on those IPs using Shodan. When it finds extra ports, it makes alerts in TheHive so the security team can act fast.

The goal is to save time and avoid missing risks by doing this check automatically, not by hand.

Tools and Services Used

• n8n automation platform: Runs the workflow, connects nodes.
• Shodan API: Gets open port info for each IP.
• Internal system API: Provides list of IPs and allowed ports to watch.
• TheHive API: Receives alerts about unexpected open ports.

Inputs, Processing Steps, and Output

Inputs

• List of monitored IP addresses and their allowed open ports from internal API.
• Shodan API access to scan IP addresses.

Processing Steps

1. Trigger runs every Monday at 5 AM.
2. Retrieve IPs and allowed ports.
3. Send each IP to Shodan to get current open services.
4. Break the service list into separate items.
5. Filter out ports that are allowed to find unexpected ones.
6. Format unexpected open port info into an HTML table.
7. Convert HTML table to Markdown for reports.
8. Create an alert in TheHive with the Markdown data.

Output

An alert in TheHive for each IP with unexpected open ports, including a clear table of what was found.

Beginner step-by-step: How to use this workflow in n8n

Download and Import Workflow

1. Click the Download button on this page to get the workflow file.
2. Open the n8n editor (if self hosting, see self-host n8n setup).
3. Use the Import from File option in n8n to bring in the workflow.

Configure Credentials and Settings

1. Enter your Shodan API Key in the credentials section and link it to the Shodan HTTP Request node.
2. Set up the URL and authentication for the internal system API in the Get watched IPs & Ports HTTP Request node.
3. Enter your TheHive API credentials in the Create TheHive alert node.
4. If needed, update any IDs, emails, channel names, or folders in TheHive node settings to match your environment.

Test and Activate

1. Run the workflow manually once to check data outputs at each node.
2. Fix any errors or credential issues shown.
3. Activate the workflow to run every Monday at 5 AM automatically.

How the workflow works—Input → Process → Output

Input

• The workflow receives a list of IPs and allowed ports from the internal API.
• It uses the Shodan API Key to access port data.

Processing

• The Split In Batches node sends IPs one-by-one to avoid overload.
• The HTTP Request node queries Shodan for each IP’s open ports.
• The Item Lists node splits the services array so each port can be checked.
• The Filter node compares found ports to allowed ports to find unmatched ones.
• The Set node collects IP details and port info.
• The HTML node and Markdown node build a readable table.
• The TheHive node sends an alert including this table.

Output

A clean alert in TheHive with all unexpected open ports listed for the security team.

Common Failures and Troubleshooting

API authentication failed in Shodan nodes

Cause: Wrong or missing API Key in credentials.

Fix: Check and update the Shodan API Key in n8n credentials.

Filter node not working right for port checks

Cause: Expression incorrectly written or node names changed.

Fix: Adjust to

= {{ $('For each IP').item.json.ports.includes($json.port) }}

and test with sample data.

TheHive alerts missing or not created

Cause: Credentials invalid or necessary fields not filled.

Fix: Confirm TheHive API token, and ensure alert fields like title and description are set.

Customization Ideas

• Change Schedule Trigger node for daily or monthly scans.
• Enhance filter to check service banner or name for suspicious signs.
• Add Slack or email notifications after TheHive alert.
• Include error handling nodes to log API errors or limits.
• Pull IPs from multiple sources by expanding the Get watched IPs & Ports node.

Summary and Benefits of Using This Workflow

✓ Saves 3-4 hours weekly by automating IP open port monitoring.

✓ Detects unexpected services fast, improving risk response.

✓ Sends clear alerts with detailed data to TheHive.

✓ Reduces human error compared to manual checking.

→ Enables reliable, regular security checks without manual work.