Skip to content
Shodan Book

Manage Assets

The Manage Assets page lets you create asset groups to define what Shodan Monitor should keep track of. There are 3 types of asset groups:

  • IP/ network (ex. 198.20.0.0/16)
  • Domain/ hostname (ex. shodan.io)
  • Search Query (ex. http.favicon.hash:483188950 -org:Shodan)

IP/ Network

With the IP/ network type, the user tells Shodan which IPs/ network ranges to keep track of. Always use this when possible. It’s especially suited for assets that have static IPs and that you know belong to you.

  • Advantages: In an ideal world this is all you would need. You know your IPs/ networks and can use Shodan to tell you when something changes. It’s efficient to monitor a network range in CIDR notation so you get good response times from the website/ API and it’s easy to configure.

  • Disadvantages: It requires you to know your IPs or network ranges. In practice, most environments are hybrid: some services run on-premise and others run on the cloud. And if you only configure network-based monitoring then you will miss out on shadow IT; i.e. services that belong to you but aren’t yet known by your IT department.

Domain/ Hostname

Domain-based network monitoring involves telling Shodan Monitor which domains/ hostnames belong to you. In that case, Shodan will automatically keep track of the IPs associated with those domains/ hostnames and configure network monitoring for those IPs. It is most commonly used if services are deployed to the cloud or otherwise use DNS to access the services.

  • Advantages: This is most commonly used for services deployed to the cloud where the underlying IP changes over time. Shodan curates its own DNS database using various OSINT techniques which you can leverage to discover assets. This DNS database can also be accessed via the website, CLI and API.

  • Disadvantages: It relies on DNS information and not all services will have a DNS record. Additionally, you need to know the domains that belong to your organization.

Search Query

Search query-based network monitoring means getting a list of IPs to monitor from the results of a Shodan search query. Only use this if you’re confident that the search query accurately identifies assets that belong to you. Or if you’d like to get notified of services that look like they belong to you but aren’t running in the expected locations (ex. identifying phishing websites). This should be considered a fallback option when you don’t know your domains or network ranges.

  • Advantages: This options is extremely flexible: you can search across the Internet for devices that match a certain criteria. This is especially helpful to identify shadow IT. Want to monitor assets that have a website with the company favicon? Or based on SSL/TLS certificate information? Or IPs that are located in San Diego, running PAN-OS and support TLS 1.3? The possibilities for monitoring are endless.

  • Disadvantages: The major downside is that you need to create an accurate search query otherwise you will potentially monitor IPs that don’t belong to you.

Page Features

The Manage Assets page also provides a few conveniences:

  • Submit Scan: click on the refresh icon on the right side to ask Shodan to rescan the IPs within the asset group. This isn’t required on a regular basis as Shodan Monitor automatically rescans assets at least once a day but if you have a need for an immediate rescan then use that button.

  • Filtered Dashboard: click on the eye icon to see a dashboard that is filtered to just the IPs within the asset group. This can be helpful for digging into the data or if you’re only interested in the discoveries for a specific asset group.

  • Edit Assets: click the gear icon to enter the Edit page for the asset group. Within that page you can change the notifiers, triggers and for IP/ network-based asset groups you can also change the list of monitored IPs/ networks.