Skip to main content

GreyNoise

This Integration is part of the GreyNoise Pack.#

GreyNoise is a cybersecurity platform that collects and analyzes Internet-wide scan and attack traffic. With this integration, users can contextualize existing alerts, filter false-positives, identify compromised devices, and track emerging threats. This integration was integrated and tested with version 2.0.1 of the GreyNoise SDK. Supported Cortex XSOAR versions: 5.5.0 and later.

Configure GreyNoise in Cortex#

ParameterDescriptionRequired
apikeyAPI KeyFalse
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#


Runs reputation on IPs.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipA comma-separated list of IPs.Required

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
IP.AddressstringIP address.
IP.ASNstringThe autonomous system name for the IP address.
IP.HostnamestringThe hostname that is mapped to IP address.
IP.Geo.CountrystringThe country in which the IP address is located.
IP.Geo.DescriptionstringAdditional information about the location such as city and region.
IP.Malicious.VendorstringThe vendor reporting the IP address as malicious.
IP.Malicious.DescriptionstringA description explaining why the IP address was reported as malicious.
GreyNoise.IP.addressstringThe IP address of the scanning device IP.
GreyNoise.IP.first_seendateThe date the device was first observed by GreyNoise. Format is ISO8601.
GreyNoise.IP.last_seendateThe date the device was last observed by GreyNoise. Format is ISO8601.
GreyNoise.IP.seenbooleanIP is in record with GreyNoise.
GreyNoise.IP.tagsarrayA list of the tags the device has been assigned over the past 90 days.
GreyNoise.IP.actorstringThe overt actor the device has been associated with.
GreyNoise.IP.spoofablebooleanBoolean indicates if IP is spoofable.
GreyNoise.IP.classificationstringWhether the device has been categorized as unknown, benign, or malicious.
GreyNoise.IP.cvearrayCVEs associated with IP.
GreyNoise.IP.metadata.asnstringThe autonomous system identification number.
GreyNoise.IP.metadata.citystringThe city the device is geographically located in.
GreyNoise.IP.metadata.regionstringThe full name of the region the device is geographically located in.
GreyNoise.IP.metadata.countrystringThe full name of the country.
GreyNoise.IP.metadata.country_codestringThe two-character country code of the country.
GreyNoise.IP.metadata.organizationstringThe organization that owns the network that the IP address belongs to.
GreyNoise.IP.metadata.categorystringWhether the device belongs to a business, isp, hosting, education, or mobile network.
GreyNoise.IP.metadata.torbooleanWhether or not the device is a known Tor exit node.
GreyNoise.IP.metadata.rdnsstringReverse DNS lookup of the IP address.
GreyNoise.IP.metadata.osstringThe name of the operating system of the device.
GreyNoise.IP.metadata.destination_countriesarrayThe list of countries targeted by scanning.
GreyNoise.IP.vpnbooleanWhether the device is VPN endpoint or not.
GreyNoise.IP.vpn_servicestringThe name of the VPN service provider of the device.
GreyNoise.IP.raw_data.scan.portnumberThe port number(s) the devices has been observed scanning.
GreyNoise.IP.raw_data.scan.protocolstringThe protocol of the port the device has been observed scanning.
GreyNoise.IP.raw_data.web.pathsarrayAny HTTP paths the device has been observed crawling the Internet for.
GreyNoise.IP.raw_data.web.useragentsarrayAny HTTP user-agents the device has been observed using while crawling the Internet.
GreyNoise.IP.raw_data.ja3.fingerprintstringThe JA3 TLS/SSL fingerprint.
GreyNoise.IP.raw_data.ja3.portnumberThe corresponding TCP port for the given JA3 fingerprint.
GreyNoise.IP.raw_data.hassh.fingerprintstringHASSH hash fingerprint string.
GreyNoise.IP.raw_data.hassh.portnumberTCP port connection where the HASSH hash was identified.
GreyNoise.IP.botBooleanWhether the IP is associated with known bot activity or not. Common examples include credential stuffing, content scraping, or brute force attacks.

IP: 66.249.68.82 found with Noise Reputation: Good#

GreyNoise Context IP Lookup#

IPClassificationActorTagsSpoofableVPNBOTTorFirst SeenLast Seen
66.249.68.82benignGoogleBotTLS/SSL Crawler, Web Crawlerfalsefalsefalsefalse2021-05-302021-09-16

IP: 66.249.68.82 found with RIOT Reputation: Good#

Belongs to Common Business Service: Google#

GreyNoise RIOT IP Lookup#

IPCategoryNameTrust LevelDescriptionLast Updated
66.249.68.82softwareGoogle1 - Reasonably IgnoreGoogle LLC is an American multinational technology company that specializes in Internet-related services and products, which include online advertising technologies, a search engine, cloud computing, software, and hardware.2021-09-16T17:53:00Z

greynoise-ip-quick-check#


Check whether a given IP address is "Internet background noise", or has been observed scanning or attacking devices across the Internet. Note: It checks against the last 60 days of Internet scanner data.

Base Command#

greynoise-ip-quick-check

Input#

Argument NameDescriptionRequired
ipList IP addresses to retrieve quick check about.Required

Context Output#

PathTypeDescription
GreyNoise.IP.addressstringThe IP address of the scanning device IP.
GreyNoise.IP.noisebooleanWhether the IP is internet background noise or attacking.
GreyNoise.IP.riotstringWhether the IP is a common business service.
GreyNoise.IP.codestringCode which correlates to why GreyNoise labeled the IP as noise.
GreyNoise.IP.code_valuestringMessage which correlates to why GreyNoise labeled the IP as noise.

Command Example#

!greynoise-ip-quick-check ip="45.83.65.120,45.83.66.18"

Human Readable Output#

IP Quick Check Details#

IPNoiseCodeCode Description
45.83.66.18true0x01IP has been observed by the GreyNoise sensor network
45.83.65.120true0x01IP has been observed by the GreyNoise sensor network

greynoise-query#


Get the information of IP based on the providence filters.

Base Command#

greynoise-query

Input#

Argument NameDescriptionRequired
last_seenThe date the device was most recently observed by GreyNoise. Example: 1d, 2d, 12h, or 1m.Optional
organizationThe organization that owns the network the IP address belongs to.Optional
classificationClassification of the device. Possible values: unknown, benign, malicious. Possible values are: unknown, benign, malicious.Optional
spoofableWhether the IP is spoofable or not. Possible values are: true, false. Default is false.Optional
actorThe actor the device has been associated with.Optional
cveA CVE to get scanning data about, example CVE-2021-12345.Optional
sizeMaximum amount of results to grab. Default is 10.Optional
advanced_queryGNQL query to filter records.
Note: It merges other arguments and takes higher precedence over the same argument if supplied.
Example:
malicious,
spoofable:false SSH Scanner,
spoofable:false classification:benign tags:POP3 Scanner cve:CVE-2010-0103.
Optional
next_tokenScroll token to paginate through results.Optional

Context Output#

PathTypeDescription
GreyNoise.IP.addressstringThe IP address of the scanning device IP.
GreyNoise.IP.first_seendateThe date the device was first observed by GreyNoise. Format is ISO8601.
GreyNoise.IP.last_seendateThe date the device was last observed by GreyNoise. Format is ISO8601.
GreyNoise.IP.seenbooleanIP is in record with GreyNoise.
GreyNoise.IP.tagsarrayA list of the tags the device has been assigned over the past 90 days.
GreyNoise.IP.actorstringThe overt actor the device has been associated with.
GreyNoise.IP.spoofablebooleanBoolean indicates if IP is spoofable.
GreyNoise.IP.classificationstringWhether the device has been categorized as unknown, benign, or malicious.
GreyNoise.IP.cvearrayCVEs associated with IP.
GreyNoise.IP.metadata.asnstringThe autonomous system identification number.
GreyNoise.IP.metadata.citystringThe city the device is geographically located in.
GreyNoise.IP.metadata.categorystringWhether the device belongs to a business, isp, hosting, education, or mobile network.
GreyNoise.IP.metadata.countrystringThe full name of the country.
GreyNoise.IP.metadata.country_codestringThe two-character country code of the country.
GreyNoise.IP.metadata.destination_countriesarrayThe list of countries targeted by scanning.
GreyNoise.IP.metadata.destination_county_codesarrayThe list of countries (codes) targeted by scanning.
GreyNoise.IP.metadata.organizationstringThe organization that owns the network that the IP address belongs to.
GreyNoise.IP.metadata.osstringThe name of the operating system of the device.
GreyNoise.IP.metadata.rdnsstringReverse DNS lookup of the IP address.
GreyNoise.IP.metadata.regionstringThe full name of the region the device is geographically located in.
GreyNoise.IP.metadata.sensor_countnumberThe number of sensors that observed activity from this IP.
GreyNoise.IP.metadata.sensor_hitsnumberThe number of sensors events recorded from this IP.
GreyNoise.IP.metadata.source_countrystringThe full name of the IP source country.
GreyNoise.IP.metadata.source_country_codestringThe country code of the IP source country.
GreyNoise.IP.metadata.torbooleanWhether or not the device is a known Tor exit node.
GreyNoise.IP.vpnbooleanWhether the device is VPN endpoint or not.
GreyNoise.IP.vpn_servicestringThe name of the VPN service provider of the device.
GreyNoise.IP.raw_data.scan.portnumberThe port number(s) the devices has been observed scanning.
GreyNoise.IP.raw_data.scan.protocolstringThe protocol of the port the device has been observed scanning.
GreyNoise.IP.raw_data.web.pathsarrayAny HTTP paths the device has been observed crawling the Internet for.
GreyNoise.IP.raw_data.web.useragentsarrayAny HTTP user-agents the device has been observed using while crawling the Internet.
GreyNoise.IP.raw_data.ja3.fingerprintstringThe JA3 TLS/SSL fingerprint.
GreyNoise.IP.raw_data.ja3.portnumberThe corresponding TCP port for the given JA3 fingerprint.
GreyNoise.IP.raw_data.hassh.fingerprintstringHASSH hash fingerprint string.
GreyNoise.IP.raw_data.hassh.portnumberTCP port connection where the HASSH hash was identified.
GreyNoise.Query.completebooleanWhether all results have been fetched or not.
GreyNoise.Query.countnumberCount of the total matching records.
GreyNoise.Query.messagestringMessage from the API response.
GreyNoise.Query.querystringQuery which was used to filter the records.
GreyNoise.Query.scrollstringScroll token to paginate through results.
GreyNoise.IP.botBooleanWhether the IP is associated with known bot activity or not. Common examples include credential stuffing, content scraping, or brute force attacks.

Total findings: 2846548#

IP Context#

IPClassificationActorCVESpoofableVPNFirst SeenLast Seen
71.6.135.131benignShodan.ioCVE-1999-0526 ,CVE-2013-6117, CVE-2019-0708falsefalse2017-09-202021-02-03

Next Page Token:#

DnF1ZXJ5VGhlbkZldGNoBQAAAAAcV1_HFkFKSExEdUc4VEtta2

To view the detailed query result please click here.

greynoise-stats#


Get aggregate statistics for the top organizations, actors, tags, ASNs, countries, classifications, and operating systems of all the results of a given GNQL query.

Base Command#

greynoise-stats

Input#

Argument NameDescriptionRequired
classificationClassification of the device like unknown, benign, malicious. Possible values are: unknown, benign, malicious.Optional
spoofableWhether the IP is spoofable or not. Possible values are: true, false.Optional
actorThe benign actor the device has been associated with.Optional
sizeMaximum amount of results to grab. Default is 10.Optional
advanced_queryGNQL query to filter records. Note: It merges other arguments and takes higher precedence over the same argument if supplied. Example: malicious, spoofable:false SSH Scanner, spoofable:false classification:benign tags:POP3 Scanner cve:CVE-2010-0103.Optional
last_seenThe date the device was most recently observed by GreyNoise. Example: 1d, 2d, 12h, or 1m.Optional
organizationThe organization that owns the network that the IP address belongs to.Optional

Context Output#

PathTypeDescription
GreyNoise.Stats.querystringThe query which was used to filter the records.
GreyNoise.Stats.countnumberCount of total aggregated records.
GreyNoise.Stats.stats.classifications.classificationstringClassification name.
GreyNoise.Stats.stats.classifications.countnumberClassification count.
GreyNoise.Stats.stats.spoofable.spoofablebooleanWhether records are spoofable or not.
GreyNoise.Stats.stats.spoofable.countnumberSpoofable count.
GreyNoise.Stats.stats.organizations.organizationstringOrganization name.
GreyNoise.Stats.stats.organizations.countnumberOrganization count.
GreyNoise.Stats.stats.actors.actorstringActor name.
GreyNoise.Stats.stats.actors.countnumberActor count.
GreyNoise.Stats.stats.countries.countrystringCountry name.
GreyNoise.Stats.stats.countries.countnumberCountry count.
GreyNoise.Stats.stats.source_countries.countrystringCountry name.
GreyNoise.Stats.stats.source_countries.countnumberCountry count.
GreyNoise.Stats.stats.destination_countries.countrystringCountry name.
GreyNoise.Stats.stats.destination_countries.countnumberCountry count.
GreyNoise.Stats.stats.tags.tagstringTag name.
GreyNoise.Stats.stats.tags.countnumberTag count.
GreyNoise.Stats.stats.operating_systems.operating_systemstringOperating system name.
GreyNoise.Stats.stats.operating_systems.countnumberOperating system count.
GreyNoise.Stats.stats.categories.categorystringCategory name.
GreyNoise.Stats.stats.categories.countnumberCategory count.
GreyNoise.Stats.stats.asns.asnstringAsn name.
GreyNoise.Stats.stats.asns.countnumberAsn count.

Command Example#

!greynoise-stats spoofable=true size=2 advanced_query="spoofable:false

Human Readable Output#

Stats#

Query: spoofable:false Count: 2846548#

Classifications#

ClassificationCount
unknown1838719
malicious998758

Spoofable#

SpoofableCount
False2846548

Organizations#

OrganizationCount
CHINA UNICOM China169 Backbone252542
CHINANET-BACKBONE244599

Actors#

ActorCount
GoogleBot2202

Source Countries#

CountryCount
China562209
Iran376353

Destination Countries#

CountryCount
China562209
Iran376353

Tags#

TagCount
SMB Scanner592090
Web Scanner578058

Operating Systems#

Operating SystemCount
Linux 2.2-3.x1202422
Windows 7/8727215

Categories#

CategoryCount
isp2263259
mobile348306

ASNs#

ASNCount
AS4837252542
AS4134244603

greynoise-riot#


Identifies IPs from known benign services and organizations that commonly cause false positives in network security and threat intelligence products. The collection of IPs in RIOT is continually curated and verified to provide accurate results. These IPs are extremely unlikely to pose a threat to your network.

Base Command#

greynoise-riot

Input#

Argument NameDescriptionRequired
ipThe IP address to be checked if it is potentially harmful or not.Required

Context Output#

PathTypeDescription
GreyNoise.Riot.ipStringThe IP given to check riot information about.
GreyNoise.Riot.riotStringThe riot of the IP. "True" or "False".
GreyNoise.Riot.categoryStringThe category of the IP if riot is "True".
GreyNoise.Riot.nameStringThe name of the IP if the riot is "True".
GreyNoise.Riot.descriptionStringThe description of the IP if riot is "True".
GreyNoise.Riot.explanationStringThe explanation of the IP if riot is "True".
GreyNoise.Riot.last_updatedDateThe last updated time of the IP if the riot is "True".
GreyNoise.Riot.referenceStringThe reference of the IP if riot is "True".
GreyNoise.Riot.trust_levelStringThe trust level of the IP if riot is "True".

GreyNoise: IP Belongs to Common Business Service#

IPCategoryNameTrust LevelDescriptionLast Updated
8.8.8.8public_dnsGoogle Public DNS1 - Reasonably IgnoreGoogle's global domain name system (DNS) resolution service.2021-04-12T05:55:35Z

!greynoise-riot ip="114.119.130.178"

Human Readable Output#

GreyNoise: IP Not Found in RIOT#

IPRIOT
114.119.130.178false

greynoise-context#


Identifies IPs that have been observed mass-scanning the internet.

Base Command#

greynoise-context

Input#

Argument NameDescriptionRequired
ipThe IP address to query in GreyNoise Context Command.Required

Context Output#

PathTypeDescription
GreyNoise.IP.addressstringThe IP address of the scanning device IP.
GreyNoise.IP.first_seendateThe date the device was first observed by GreyNoise. Format is ISO8601.
GreyNoise.IP.last_seendateThe date the device was last observed by GreyNoise. Format is ISO8601.
GreyNoise.IP.seenbooleanIP is in record with GreyNoise.
GreyNoise.IP.tagsarrayA list of the tags the device has been assigned over the past 90 days.
GreyNoise.IP.actorstringThe overt actor the device has been associated with.
GreyNoise.IP.spoofablebooleanBoolean indicates if IP is spoofable.
GreyNoise.IP.classificationstringWhether the device has been categorized as unknown, benign, or malicious.
GreyNoise.IP.cvearrayCVEs associated with IP.
GreyNoise.IP.metadata.asnstringThe autonomous system identification number.
GreyNoise.IP.metadata.citystringThe city the device is geographically located in.
GreyNoise.IP.metadata.categorystringWhether the device belongs to a business, isp, hosting, education, or mobile network.
GreyNoise.IP.metadata.countrystringThe full name of the country.
GreyNoise.IP.metadata.country_codestringThe two-character country code of the country.
GreyNoise.IP.metadata.destination_countriesarrayThe list of countries targeted by scanning.
GreyNoise.IP.metadata.destination_county_codesarrayThe list of countries (codes) targeted by scanning.
GreyNoise.IP.metadata.organizationstringThe organization that owns the network that the IP address belongs to.
GreyNoise.IP.metadata.osstringThe name of the operating system of the device.
GreyNoise.IP.metadata.rdnsstringReverse DNS lookup of the IP address.
GreyNoise.IP.metadata.regionstringThe full name of the region the device is geographically located in.
GreyNoise.IP.metadata.sensor_countnumberThe number of sensors that observed activity from this IP.
GreyNoise.IP.metadata.sensor_hitsnumberThe number of sensors events recorded from this IP.
GreyNoise.IP.metadata.source_countrystringThe full name of the IP source country.
GreyNoise.IP.metadata.source_country_codestringThe country code of the IP source country.
GreyNoise.IP.metadata.torbooleanWhether or not the device is a known Tor exit node.
GreyNoise.IP.vpnbooleanWhether the device is VPN endpoint or not.
GreyNoise.IP.vpn_servicestringThe name of the VPN service provider of the device.
GreyNoise.IP.raw_data.scan.portnumberThe port number(s) the devices has been observed scanning.
GreyNoise.IP.raw_data.scan.protocolstringThe protocol of the port the device has been observed scanning.
GreyNoise.IP.raw_data.web.pathsarrayAny HTTP paths the device has been observed crawling the Internet for.
GreyNoise.IP.raw_data.web.useragentsarrayAny HTTP user-agents the device has been observed using while crawling the Internet.
GreyNoise.IP.raw_data.ja3.fingerprintstringThe JA3 TLS/SSL fingerprint.
GreyNoise.IP.raw_data.ja3.portnumberThe corresponding TCP port for the given JA3 fingerprint.
GreyNoise.IP.raw_data.hassh.fingerprintstringHASSH hash fingerprint string.
GreyNoise.IP.raw_data.hassh.portnumberTCP port connection where the HASSH hash was identified.
GreyNoise.IP.botBooleanWhether the IP is associated with known bot activity or not. Common examples include credential stuffing, content scraping, or brute force attacks.

Benign IP#

IP: 66.249.68.82 found with Noise Reputation: Good

IPClassificationActorTagsSpoofableVPNBOTTorFirst SeenLast Seen
66.249.68.8266.249.68.82GoogleBotTLS/SSL Crawler, Web Crawlerfalsefalsefalsefalse2021-05-302021-09-16

!greynoise-context ip="114.119.130.178"

Human Readable Output#

Unidentified IP#

IP: 103.21.244.0 No Mass-Internet Scanning Noise Found

IPSeen
103.21.244.0false

greynoise-similarity#


Identify IPs with a similar internet scanning profile.

Base Command#

greynoise-similarity

Input#

Argument NameDescriptionRequired
ipThe IP address to find similar IPs forRequired
minimum_scoreThe similar score to return results above. Valid from 85 to 100. Default is 90.Optional
maximum_resultsThe maximum number of similar results to return. Default is 50.Optional

Context Output#

PathTypeDescription
GreyNoise.Similar.ipstringThe IP address of the scanning device IP.
GreyNoise.Similar.first_seendateThe date the device was first observed by GreyNoise. Format is ISO8601.
GreyNoise.Similar.last_seendateThe date the device was last observed by GreyNoise. Format is ISO8601.
GreyNoise.Similar.actorstringThe overt actor the device has been associated with.
GreyNoise.Similar.classificationstringWhether the device has been categorized as unknown, benign, or malicious.
GreyNoise.Similar.asnstringThe autonomous system identification number.
GreyNoise.Similar.citystringThe city the device is geographically located in.
GreyNoise.Similar.countrystringThe full name of the country.
GreyNoise.Similar.country_codestringThe two-character country code of the country.
GreyNoise.Similar.organizationstringThe organization that owns the network that the IP address belongs to.
GreyNoise.Similar.similar_ipsarrayDetails of similar IPs

Command Example#

!greynoise-similarity ip="1.2.3.4" minimum_score="90" maximum_results="50"

Human Readable Output#

IP: 59.88.225.2 - Similar Internet Scanners found in GreyNoise Total Similar IPs with Score above 90%: 100 Displaying 50 results below. To see all results, visit the GreyNoise Visualizer. GreyNoise Similar IPs

IPScoreClassificationActorOrganizationLast SeenSimilarity Features
1.2.3.4100maliciousunknownGoogleBot2023-04-05ports,spoofable_bool

!greynoise-similarity ip="114.119.130.178"

Human Readable Output#

GreyNoise Similarity Lookup returned No Results.

greynoise-similarity#


Identify IPs with a similar internet scanning profile.

Base Command#

greynoise-similarity

Input#

Argument NameDescriptionRequired
ipThe IP address to find similar IPs forRequired
daysThe number of days from today to get activity. Valid from 1 to 90. Default is 30.Optional
maximum_resultsThe maximum number of similar results to return. Default is 50.Optional

Context Output#

PathTypeDescription
GreyNoise.Timeline.ipstringThe IP address of the scanning device IP.
GreyNoise.Timeline.metadata.start_timedateThe start time of the activity period
GreyNoise.Timeline.metadata.end_timedateThe end time of the activity period
GreyNoise.Timeline.metadata.limitstringLimit of activity events returned
GreyNoise.Timeline.metadata.next_cursorstringCursor value to pull next page of results
GreyNoise.Timeline.activityarrayDaily activity summaries

Command Example#

!greynoise-timeline ip="1.1.2.2" days="30" maximum_results="30"

Human Readable Output#

IP: 45.164.214.212 - GreyNoise IP Timeline Internet Scanner Timeline Details - Daily Activity Summary

DateClassificationTagsrDNSOrganizationASNPortsWeb PathsUser Agents
1.2.3.4maliciousBruteForcerme.acme.lclAcme, IncAS12345ports,spoofable_bool/root/homeMozillaFirefox

!greynoise-timeline ip="1.1.2.2" days="30" maximum_results="30"

Human Readable Output#

GreyNoise IP Timeline Returned No Results.

cve#


Queries GreyNoise for CVE Vuln Intelligence.

Base Command#

cve

Input#

Argument NameDescriptionRequired
cveA comma-separated list of CVE IDs.Required

Context Output#

PathTypeDescription
CVE.IDstringCVE ID.
GreyNoise.CVE.details.vulnerability_nameStringThe vulnerability name.
GreyNoise.CVE.details.vulnerability_descriptionStringA description of the vulnerability.
GreyNoise.CVE.details.cve_cvss_scoreNumberThe CVSS score.
GreyNoise.CVE.details.productStringThe vulnerable product.
GreyNoise.CVE.details.vendorStringThe vendor that produces the vulnerable product.
GreyNoise.CVE.details.published_to_nist_nvdBooleanIs this CVE published to NIST NVD?
GreyNoise.CVE.timeline.cve_published_dateDateWhen was the CVE published.
GreyNoise.CVE.timeline.cve_last_updated_dateDateWhen was the CVE information last updated.
GreyNoise.CVE.timeline.first_known_published_dateDateWhen first exploit associated with CVE was published.
GreyNoise.CVE.timeline.cisa_kev_date_addedDateWhen the CVE was added to KEV.
GreyNoise.CVE.exploitation_details.attack_vectorStringThe attack vector category.
GreyNoise.CVE.exploitation_details.exploit_foundBooleanWhether any known exploits are available.
GreyNoise.CVE.exploitation_details.exploitation_registered_in_kevBooleanWhether exploitation has been registered in KEV database.
GreyNoise.CVE.exploitation_details.epss_scoreNumberEPSS score associated with this exploitation (Exploit Prediction Scoring System).
GreyNoise.CVE.exploitation_stats.number_of_available_exploitsNumberThe total number of exploits available (public + commercial).
GreyNoise.CVE.exploitation_stats.number_of_threat_actors_exploiting_vulnerabilityNumberThe total number of known threat actors.
GreyNoise.CVE.exploitation_stats.number_of_botnets_exploiting_vulnerabilityNumberThe total number of botnets.
GreyNoise.CVE.exploitation_activity.activity_seenBooleanWhether GreyNoise has seen activity.
GreyNoise.CVE.exploitation_activity.benign_ip_count_1dNumberThe total number of benign IP addresses GreyNoise has seen exercising (Scanning or Exploiting) this vulnerability in the last day.
GreyNoise.CVE.exploitation_activity.benign_ip_count_10dNumberThe total number of benign IP addresses GreyNoise has seen exercising (Scanning or Exploiting) this vulnerability in the last 10 days.
GreyNoise.CVE.exploitation_activity.benign_ip_count_30dNumberThe total number of benign IP addresses GreyNoise has seen exercising (Scanning or Exploiting) this vulnerability in the last 30 days.
GreyNoise.CVE.exploitation_activity.threat_ip_count_1dNumberThe total number of threat IP addresses GreyNoise has seen exercising (Scanning or Exploiting) this vulnerability in the last day.
GreyNoise.CVE.exploitation_activity.threat_ip_count_10dNumberThe total number of threat IP addresses GreyNoise has seen exercising (Scanning or Exploiting) this vulnerability in the last 10 days.
GreyNoise.CVE.exploitation_activity.threat_ip_count_30dNumberThe total number of threat IP addresses GreyNoise has seen exercising (Scanning or Exploiting) this vulnerability in the last 30 days.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.

Command Example#

!cve cve="CVE-1950-12345"

Human Readable Output#

CVE: CVE-2021-26086 is found GreyNoise CVE Lookup

keyvalue
CVE IDCVE-2021-26086
CVSS5.3
VendorAtlassian
ProductJira Server and Data Center
Published to NVDtrue