Find risky open ports before they become problems. Security and IT teams can run a weekly check on known servers and get a clear alert when a new or unwanted port is exposed. The result is faster response and less manual hunting.

A scheduled run every Monday pulls a list of watched IPs and their approved ports. Each IP is processed one by one to avoid rate limits. The system queries Shodan for open ports and services, then compares findings to the approved list. Any difference is formatted into a clean Markdown table and sent as an alert to TheHive with a clear title, tags, and timestamp so teams can triage right away.

You will need a Shodan API key and access to a TheHive instance. Point the IP list request to your IPS or database and keep the JSON format as ip and ports. Expect to cut weekly port reviews from hours to minutes while improving accuracy. Helpful for exposed asset checks, change monitoring, and compliance evidence.

• Weekly schedule runs on Monday at a set hour for consistent checks
• Fetches the current IP and approved port list from your system using HTTP
• Processes one IP at a time to respect API limits and keep runs stable
• Queries Shodan for each host to gather open ports and services
• Extracts service entries and compares ports against the approved list
• Builds a clear HTML table of unexpected ports and converts it to Markdown
• Creates a TheHive alert with title, tag, date, and the Markdown report
• Uses simple filtering so only unapproved ports trigger an alert

• Reduce manual port reviews from 2 hours to 10 minutes per week
• Streamline weekly exposure checks by about 80 percent
• Eliminate most copy and paste errors by generating the report automatically
• Connect Shodan findings to TheHive so incidents reach the right team fast
• Scale to hundreds of assets using batch processing without timeouts

1. Import the template into n8n: Create a new workflow in n8n > Click the three dots menu > Select 'Import from File' > Choose the downloaded JSON file.
2. You'll need accounts with Shodan and TheHive. See the Tools Required section above for links to create accounts with these services.
3. Open the Every Monday node and confirm the day and time match your timezone and maintenance window.
4. Double click Get watched IPs & Ports and replace the sample URL with your IPS or database endpoint that returns a JSON array of objects with ip and ports.
5. Open the Scan each IP node. In the Credential to connect with dropdown, click Create new credential, choose HTTP Request with query auth, and follow the on screen steps. Add your Shodan API key as a query parameter named key.
6. Open the Create TheHive alert node. In credentials, click Create new credential, then follow the on screen instructions to add your TheHive base URL and API key.
7. Review the Unexpected port filter. Confirm the approved port list from the For each IP item is used as the allow list. Adjust if your data structure differs.
8. Run the workflow once manually. Check the For each IP node output to confirm each IP and its ports load correctly.
9. Inspect the Scan each IP results to confirm Shodan returns open ports. If you see rate limit errors, keep the batch size at one.
10. Open TheHive and verify a new alert is created with a Markdown table of unexpected ports. If not, check your credentials, base URL, and that the alert type and source fields are filled.
11. If no alerts are created, confirm the approved ports are set correctly. You may be filtering everything out if the allow list includes all found ports.
12. Once validated, enable the workflow so it runs every Monday and sends alerts automatically.