Network vs Domain vs Search Query

Shodan Monitor lets you configure external network monitoring using 3 main avenues:

  • IPs/ network range
  • Domain/ hostname
  • Search query

Each option has advantages and disadvantages which this article will talk about.

Network Monitoring

Network monitoring is when you tell Shodan Monitor your known networks/ IPs and Shodan keeps track of them.

In an ideal world this is all you would need. You know your IPs/ networks and can use Shodan to tell you when something changes. It's efficient to monitor a network range in CIDR notation so you get good response times from the website/ API and it's easy to configure.

It requires you to know your IPs or network ranges. In practice, most environments are hybrid: some services run on-premise and others run on the cloud. And if you only configure network-based monitoring then you will miss out on shadow IT; i.e. services that belong to you but aren't yet known by your IT department.

Always use this when possible. It's especially suited for assets that have static IPs and that you know belong to you.

Domain-based Monitoring

Domain-based network monitoring involves telling Shodan Monitor which domains/ hostnames belong to you. In that case, Shodan will automatically keep track of the IPs associated with those domains/ hostnames and configure network monitoring for those IPs.

This is most commonly used for services deployed to the cloud where the underlying IP changes over time. Shodan curates its own DNS database using various OSINT techniques which you can leverage to discover assets.
Learn more

It relies on DNS information and not all services will have a DNS record. Additionally, you need to know the domains that belong to your organization.

Use this if you deploy services to the cloud or otherwise use DNS to address your services.

Search Query-based Monitoring

Search query-based network monitoring means getting a list of IPs to monitor from the results of a search query.

This options is extremely flexible: you can search across the Internet for devices that match a certain criteria. This is especially helpful to identify shadow IT. Want to monitor assets that have a website with the company favicon? Or based on SSL/TLS certificate information? Or IPs that are located in San Diego, running PAN-OS and support TLS 1.3? The possibilities for monitoring are endless.

The major downside is that you need to create an accurate search query otherwise you will potentially monitor IPs that don't belong to you.

Only use this if you're confident that the search query accurately identifies assets that belong to you. This should be considered a fallback option when you don't know your domains or network ranges.