This article provides a complete, practical walkthrough of the Filter Schedule Automation Scheduled n8n agent. It connects HTTP Request, Webhook across approximately 1 node(s). Expect a Intermediate setup in 15-45 minutes. One‑time purchase: €29.

What This Agent Does

This agent orchestrates a reliable automation between HTTP Request, Webhook, handling triggers, data enrichment, and delivery with guardrails for errors and rate limits.

It streamlines multi‑step processes that would otherwise require manual exports, spreadsheet cleanup, and repeated API requests. By centralizing logic in n8n, it reduces context switching, lowers error rates, and ensures consistent results across teams.

Typical outcomes include faster lead handoffs, automated notifications, accurate data synchronization, and better visibility via execution logs and optional Slack/Email alerts.

How It Works

The workflow uses standard n8n building blocks like Webhook or Schedule triggers, HTTP Request for API calls, and control nodes (IF, Merge, Set) to validate inputs, branch on conditions, and format outputs. Retries and timeouts improve resilience, while credentials keep secrets safe.

Third‑Party Integrations

• HTTP Request
• Webhook

Import and Use in n8n

1. Open n8n and create a new workflow or collection.
2. Choose Import from File or Paste JSON.
3. Paste the JSON below, then click Import.
4. Show n8n JSON

   Title:
   Automating Network Threat Detection: A Weekly Shodan Report Workflow with n8n and TheHive
   
   Meta Description:
   Discover how to automate weekly Shodan scans and detect unexpected open ports across your infrastructure using n8n. Integrate with TheHive to trigger security incident alerts with ease.
   
   Keywords:
   n8n workflow, Shodan API, TheHive integration, network security automation, SecOps, weekly security scan, open ports detection, IP monitoring, markdown reporting, security incident automation
   
   Third-Party APIs Used:
   
   1. Shodan API – For scanning and retrieving open ports and services for specified IP addresses.
   2. TheHive API – For creating alerts when unexpected ports are discovered, enabling automated incident response.
   
   —
   
   Article:
   
   Ensuring the security of your IT infrastructure often starts with visibility—and automation. In today’s increasingly dynamic threat landscape, staying on top of exposed or misconfigured services should be routine, not optional. That’s where this automated n8n workflow comes into play—designed to run weekly, it scans your predefined list of IPs using the Shodan API and raises alerts in TheHive if any unexpected open ports are detected.
   
   Let’s walk through how this real-world n8n workflow, named "Weekly_Shodan_Query___Report_Accidents__no_function_node_", simplifies continuous security monitoring and integrates seamlessly into your incident response pipeline.
   
   🚦 Step 1: Scheduled Scan Trigger
   
   The automation begins every Monday at 5 AM with a Schedule Trigger node (“Every Monday”). This ensures consistent, timely execution of your external threat monitoring, without requiring manual initiation.
   
   🔍 Step 2: Retrieving IPs and Expected Ports
   
   The next step connects to an internal system (in this case represented by a mock endpoint) that returns a list of IP addresses and associated expected ports. This list mirrors what would typically come from an Intrusion Prevention System (IPS) or firewall logs.
   
   Expected data format:
   ```json
   [
     {
       "ip": "116.202.106.35",
       "ports": [5678, 80]
     },
     {
       "ip": "188.114.96.9",
       "ports": [8080, 80]
     }
   ]
   ```
   This foundation allows for easy swaps to production-grade APIs with minimal changes.
   
   🧮 Step 3: One IP at a Time
   
   Using n8n’s “Split In Batches” node, the workflow processes one IP at a time. This design decision is critical for observability and API stability, ensuring Shodan requests stay within acceptable rate limits and reducing the chance of failure.
   
   🌐 Step 4: Scanning with Shodan
   
   For each IP, the workflow queries Shodan using the API endpoint: `https://api.shodan.io/shodan/host/{{ $json.ip }}`.
   
   Here, authentication is handled using an API key securely stored in n8n credentials. The returned data, if any, includes an array of currently visible open ports and services.
   
   🔬 Step 5: Isolate and Inspect Services
   
   The services from the Shodan API are then parsed using the “Split out services” node. Each port is checked against the list of known/expected ports provided earlier.
   
   A filter node “Unexpected port?” evaluates whether any newly observed port is not present in the expected list. If an anomaly is detected, the workflow moves forward with alerting mechanisms.
   
   📋 Step 6: Formatting for Human Readability
   
   Using a series of nodes, the port, IP, hostname, and service description are collated into a neat HTML table and then converted to Markdown. This Markdown format provides easily digestible and shareable documentation.
   
   ✉️ Step 7: Alert Creation in TheHive
   
   The final action posts this Markdown content as a security alert in TheHive. This open-source Security Incident Response Platform (SIRP) enables SecOps professionals to triage and manage threats immediately.
   
   The alert includes:
   - IP address
   - Unexpected port
   - Collected hostnames
   - Service metadata
   - Direct reference to the source/capture timestamp
   
   The integration with TheHive means your organization can begin incident management without delay, armed with clear context and actionable data.
   
   🎯 Why This Workflow Matters
   
   - 📆 Scheduled Monitoring: Ensure weekly, consistent scans without human intervention.
   - 🔒 Security Focused: Detect misconfigurations or shadow IT exposures before they’re exploited.
   - 🕵️ Visibility into Cloud & Network Assets: Using Shodan gives your team reconnaissance-grade insights into your exposed services.
   - 🚨 Real-Time Alerts: Unexpected ports? You’ll know right away in TheHive.
   - 📈 Scalable and Extensible: Running in n8n, the workflow can be easily extended—add notifications, SLA tags, or integration with other security tools like Slack or PagerDuty.
   
   🛠️ Additional Considerations
   
   For production use, consider adding the following enhancements:
   - Error handling nodes to catch failed Shodan queries.
   - Rate limit retry logic to handle API quota issues.
   - Broader integrations for endpoints like Splunk, SIEMs, or ticketing systems like Jira.
   
   Conclusion
   
   With a smart combination of Shodan’s real-time internet scanning and n8n’s low-code automation engine, this workflow provides a clear and scalable solution for continuous risk assessment. Integration with TheHive completes the loop, turning observed anomalies into action-ready incidents for your team. In a matter of minutes, what was once a time-consuming manual task becomes a streamlined, auditable, and automated protocol.
   
   —
   
   Start small, be consistent, and iterate: this workflow lays the groundwork for automated security orchestration that evolves with your threat surface.

5. Set credentials for each API node (keys, OAuth) in Credentials.
6. Run a test via Execute Workflow. Inspect Run Data, then adjust parameters.
7. Enable the workflow to run on schedule, webhook, or triggers as configured.

Tips: keep secrets in credentials, add retries and timeouts on HTTP nodes, implement error notifications, and paginate large API fetches.

Validation: use IF/Code nodes to sanitize inputs and guard against empty payloads.

Why Automate This with AI Agents

AI‑assisted automations offload repetitive, error‑prone tasks to a predictable workflow. Instead of manual copy‑paste and ad‑hoc scripts, your team gets a governed pipeline with versioned state, auditability, and observable runs.

n8n’s node graph makes data flow transparent while AI‑powered enrichment (classification, extraction, summarization) boosts throughput and consistency. Teams reclaim time, reduce operational costs, and standardize best practices without sacrificing flexibility.

Compared to one‑off integrations, an AI agent is easier to extend: swap APIs, add filters, or bolt on notifications without rewriting everything. You get reliability, control, and a faster path from idea to production.

Best Practices

• Credentials: restrict scopes and rotate tokens regularly.
• Resilience: configure retries, timeouts, and backoff for API nodes.
• Data Quality: validate inputs; normalize fields early to reduce downstream branching.
• Performance: batch records and paginate for large datasets.
• Observability: add failure alerts (Email/Slack) and persistent logs for auditing.
• Security: avoid sensitive data in logs; use environment variables and n8n credentials.

FAQs

Can I swap integrations later? Yes. Replace or add nodes and re‑map fields without rebuilding the whole flow.

How do I monitor failures? Use Execution logs and add notifications on the Error Trigger path.

Does it scale? Use queues, batching, and sub‑workflows to split responsibilities and control load.

Is my data safe? Keep secrets in Credentials, restrict token scopes, and review access logs.