GreyNoise Community Action
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.0.3 |
| Compatible with ThreatQ Versions | >= 5.6.0 |
| ThreatQ TQO License Required | Yes |
| Support Tier | ThreatQ Supported |
Introduction
The GreyNoise Community Action submits a collection of IP Addresses to the GreyNoise Community API in individual HTTP Requests. GreyNoise returns a response for each object containing any information they have about the indicator. A sample response can be found within this file.
The integration can perform the following action:
- GreyNoise Community - enriches IP Addresses with attributes describing the observed behavior of the IP Address.
The action is compatible with the following indicator type:
- IP Address
The action returns the following enriched indicator types:
- IP Address
This action is intended for use with ThreatQ TDR Orchestrator (TQO). An active TQO license is required for this feature.
Prerequisites
The action requires the following:
- A GreyNoise API key.
- An active ThreatQ TDR Orchestrator (TQO) license.
- A data collection containing the following indicator type:
- IP Address
Installation
This action can be installed in the My Integration section of your ThreatQ instance. See the Installing an Action topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Actions option from the Category dropdown (optional).
- Click on the action entry to open its details page.
- Enter the following parameters under the Configuration tab:
The configurations set on this page will be used as the default settings when inserting this action into a new workflow. Updating the configurations on this page will not update any instances of this action that have already been deployed to a workflow. In that scenario, you must update the action’s configurations within the workflow itself.
Parameter Description GreyNoise API Key Your API Key for authentication with the GreyNoise API. Objects Per Run The maximum number of objects to submit per workflow run. The max value for this parameter is 50,000. GreyNoise Context Filter Maximum number of objects to submit per workflow run. Options include: - Classification
- Link
- Last Seen
- Name
- RIOT
- Noise
- Review any additional settings, make any changes if needed, and click on Save.
Actions
The integration provides the following action:
| Action | Description | Object Type | Object Subtype |
|---|---|---|---|
| GreyNoise Community | Queries the GreyNoise Community API for context | Indicator | IP Address |
GreyNoise Community
GET https://api.greynoise.io/v3/community/{{IP Address}}
Sample Response:
{
"ip": "111.121.216.118",
"noise": true,
"riot": false,
"classification": "malicious",
"name": "unknown",
"link": "https://viz.greynoise.io/ip/111.121.216.118",
"last_seen": "2022-12-02",
"message": "Success"
}
ThreatQuotient provides the following default mapping for this feed:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
|---|---|---|---|---|---|
.classification |
Indicator.Attribute | Classification | N/A | benign | If enabled |
.name |
Indicator.Attribute | Name | N/A | ShadowServer | 'unknown' is ignored |
.noise |
Indicator.Attribute | Noise | N/A | True | If enabled |
.riot |
Indicator.Attribute | Riot | N/A | True | If enabled |
.last_seen |
Indicator.Attribute | Last Seen | N/A | True | If enabled |
.link |
Indicator.Attribute | Link | N/A | https://viz.greynoise.io/ip/64.62.197.2 | If enabled |
Enriched Data
Object counts and action runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and action runtime may vary based on system resources and load.
| Metric | Result |
|---|---|
| Run Time | 1 Minute |
| Indicators | 50 |
| Indicator Attributes | 230 |
Use Case Example
- A Threat Analyst identifies a collection of IP Addresses they would like to enrich.
- The Threat Analyst adds the GreyNoise Community Action to a Workflow
- The Threat Analyst configures the action with the desired parameters, and enables the Workflow
- The Workflow executes all Actions in the graph, including GreyNoise Community
- The action returns the documented Attributes from the provider, and the Workflow ingests this data into the ThreatQ platform.
Example Return Results:
- 99 Indicators
- 30 Indicator Attributes
Known Issues / Limitations
- The GreyNoise Community API is limited to 50 lookups per day.
Change Log
- Version 1.0.3
- Initial release on the ThreatQ Marketplace.
PDF Guides
| Document | ThreatQ Version |
|---|---|
| GreyNoise Community Action Guide v1.0.3 | 5.6.0 or Greater |