Skip to main content

GreyNoise

GreyNoise is a cybersecurity platform that collects and analyzes Internet-wide scan and attack traffic. With this integration, users can contextualize existing alerts, filter false-positives, identify compromised devices, and track emerging threats. This integration was integrated and tested with version 0.7.0 of GreyNoise. Supported Cortex XSOAR versions: 5.0.0 and later.

Configure GreyNoise on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for GreyNoise.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    apikeyAPI KeyTrue
    insecureTrust any certificate (not secure)False
    proxyUse system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#


Runs reputation on IPs.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipList of IPs.Required

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
IP.AddressstringIP address.
IP.ASNstringThe autonomous system name for the IP address.
IP.HostnamestringThe hostname that is mapped to IP address.
IP.Geo.CountrystringThe country in which the IP address is located.
IP.Geo.DescriptionstringAdditional information about the location such as city and region.
IP.Malicious.VendorstringThe vendor reporting the IP address as malicious.
IP.Malicious.DescriptionstringA description explaining why the IP address was reported as malicious.
GreyNoise.IP.addressstringThe IP address of the scanning device IP.
GreyNoise.IP.first_seendateThe date the device was first observed by GreyNoise. Format is ISO8601.
GreyNoise.IP.last_seendateThe date the device was last observed by GreyNoise. Format is ISO8601.
GreyNoise.IP.seenbooleanIP is in record with GreyNoise.
GreyNoise.IP.tagsarrayA list of the tags the device has been assigned over the past 90 days.
GreyNoise.IP.actorstringThe overt actor the device has been associated with.
GreyNoise.IP.spoofablebooleanBoolean indicates if IP is spoofable.
GreyNoise.IP.classificationstringWhether the device has been categorized as unknown, benign, or malicious.
GreyNoise.IP.cvearrayCVEs associated with IP.
GreyNoise.IP.vpnbooleanWhether the device is VPN endpoint or not.
GreyNoise.IP.vpn_servicestringThe name of the VPN service provider of the device.
GreyNoise.IP.metadata.asnstringThe autonomous system identification number.
GreyNoise.IP.metadata.citystringThe city the device is geographically located in.
GreyNoise.IP.metadata.regionstringThe full name of the region the device is geographically located in.
GreyNoise.IP.metadata.countrystringThe full name of the country.
GreyNoise.IP.metadata.country_codestringThe two-character country code of the country.
GreyNoise.IP.metadata.organizationstringThe organization that owns the network that the IP address belongs to.
GreyNoise.IP.metadata.categorystringWhether the device belongs to a business, isp, hosting, education, or mobile network.
GreyNoise.IP.metadata.torbooleanWhether or not the device is a known Tor exit node.
GreyNoise.IP.metadata.rdnsstringReverse DNS lookup of the IP address.
GreyNoise.IP.metadata.osstringThe name of the operating system of the device.
GreyNoise.IP.raw_data.scan.portnumberThe port number(s) the devices has been observed scanning.
GreyNoise.IP.raw_data.scan.protocolstringThe protocol of the port the device has been observed scanning.
GreyNoise.IP.raw_data.web.pathsarrayAny HTTP paths the device has been observed crawling the Internet for.
GreyNoise.IP.raw_data.web.useragentsarrayAny HTTP user-agents the device has been observed using while crawling the Internet.
GreyNoise.IP.raw_data.ja3.fingerprintstringThe JA3 TLS/SSL fingerprint.
GreyNoise.IP.raw_data.ja3.portnumberThe corresponding TCP port for the given JA3 fingerprint.
GreyNoise.IP.raw_data.hassh.fingerprintstringHASSH hash fingerprint string.
GreyNoise.IP.raw_data.hassh.portnumberTCP port connection where the HASSH hash was identified.

Command Example#

!ip "71.6.135.131"

Human Readable Output#

IP: 71.6.135.131 found with Reputation: Good#

IP Context#

IPClassificationActorCVESpoofableVPNFirst SeenLast Seen
71.6.135.131benignShodan.ioCVE-1999-0526,
CVE-2013-6117,
CVE-2019-0708
falsefalse2017-09-202021-02-03

greynoise-ip-quick-check#


Check whether a given IP address is "Internet background noise", or has been observed scanning or attacking devices across the Internet. Note: It checks against the last 60 days of Internet scanner data.

Base Command#

greynoise-ip-quick-check

Input#

Argument NameDescriptionRequired
ipList IP addresses to retrieve quick check about.Required

Context Output#

PathTypeDescription
GreyNoise.IP.addressstringThe IP address of the scanning device IP.
GreyNoise.IP.noisebooleanWhether the IP is internet background noise or attacking.
GreyNoise.IP.codestringCode which correlates to why GreyNoise labeled the IP as noise.
GreyNoise.IP.code_valuestringMessage which correlates to why GreyNoise labeled the IP as noise.

Command Example#

!greynoise-ip-quick-check ip="45.83.65.120,45.83.66.18"

Human Readable Output#

IP Quick Check Details#

IPNoiseCodeCode Description
45.83.66.18true0x01IP has been observed by the GreyNoise sensor network
45.83.65.120true0x01IP has been observed by the GreyNoise sensor network

greynoise-query#


Get the information of IP based on the providence filters.

Base Command#

greynoise-query

Input#

Argument NameDescriptionRequired
classificationClassification of the device like unknown, benign, malicious. Possible values are: unknown, benign, malicious.Optional
spoofableWhether the IP is spoofable or not. Possible values are: true, false.Optional
actorThe benign actor the device has been associated with.Optional
sizeMaximum amount of results to grab. Default is 10.Optional
advanced_queryGNQL query to filter records.
Note: It merges other arguments and takes higher precedence over the same argument if supplied.
Example:
malicious,
spoofable:false SSH Scanner,
spoofable:false classification:benign tags:POP3 Scanner cve:CVE-2010-0103.
Optional
next_tokenScroll token to paginate through results.Optional
last_seenThe date the device was most recently observed by GreyNoise. Example: 1d, 2d, 12h, or 1m.Optional
organizationThe organization that owns the network that the IP address belongs to.Optional

Advance Query#

GNQL (GreyNoise Query Language) is a domain-specific query language that uses Lucene deep under the hood.
For more information on the syntax to write GNQL of argument advanced_query, click here.

Context Output#

PathTypeDescription
GreyNoise.IP.addressstringThe IP address of the scanning device IP.
GreyNoise.IP.first_seendateThe date the device was first observed by GreyNoise. Format is ISO8601.
GreyNoise.IP.last_seendateThe date the device was last observed by GreyNoise. Format is ISO8601.
GreyNoise.IP.seenbooleanIP is in record with GreyNoise.
GreyNoise.IP.tagsarrayA list of the tags the device has been assigned over the past 90 days.
GreyNoise.IP.actorstringThe overt actor the device has been associated with.
GreyNoise.IP.spoofablebooleanBoolean indicates if IP is spoofable.
GreyNoise.IP.classificationstringWhether the device has been categorized as unknown, benign, or malicious.
GreyNoise.IP.cvearrayCVEs associated with IP.
GreyNoise.IP.vpnbooleanWhether the device is VPN endpoint or not.
GreyNoise.IP.vpn_servicestringThe name of the VPN service provider of the device.
GreyNoise.IP.metadata.asnstringThe autonomous system identification number.
GreyNoise.IP.metadata.citystringThe city the device is geographically located in.
GreyNoise.IP.metadata.regionstringThe full name of the region the device is geographically located in.
GreyNoise.IP.metadata.countrystringThe full name of the country.
GreyNoise.IP.metadata.country_codestringThe two-character country code of the country.
GreyNoise.IP.metadata.organizationstringThe organization that owns the network that the IP address belongs to.
GreyNoise.IP.metadata.categorystringWhether the device belongs to a business, isp, hosting, education, or mobile network.
GreyNoise.IP.metadata.torbooleanWhether or not the device is a known Tor exit node.
GreyNoise.IP.metadata.rdnsstringReverse DNS lookup of the IP address.
GreyNoise.IP.metadata.osstringThe name of the operating system of the device.
GreyNoise.IP.raw_data.scan.portnumberThe port number(s) the devices has been observed scanning.
GreyNoise.IP.raw_data.scan.protocolstringThe protocol of the port the device has been observed scanning.
GreyNoise.IP.raw_data.web.pathsarrayAny HTTP paths the device has been observed crawling the Internet for.
GreyNoise.IP.raw_data.web.useragentsarrayAny HTTP user-agents the device has been observed using while crawling the Internet.
GreyNoise.IP.raw_data.ja3.fingerprintstringThe JA3 TLS/SSL fingerprint.
GreyNoise.IP.raw_data.ja3.portnumberThe corresponding TCP port for the given JA3 fingerprint.
GreyNoise.IP.raw_data.hassh.fingerprintstringHASSH hash fingerprint string.
GreyNoise.IP.raw_data.hassh.portnumberTCP port connection where the HASSH hash was identified.
GreyNoise.Query.completebooleanWhether all results have been fetched or not.
GreyNoise.Query.countnumberCount of the total matching records.
GreyNoise.Query.messagestringMessage from the API response.
GreyNoise.Query.querystringQuery which was used to filter the records.
GreyNoise.Query.scrollstringScroll token to paginate through results.
GreyNoise.IP.botbooleanWhether the IP is associated with known bot activity or not. Common examples include credential stuffing, content scraping, or brute force attacks.

Command Example#

!greynoise-query spoofable=true size=1 advanced_query="spoofable:false"

Human Readable Output#

Total findings: 2846548#

IP Context#

IPClassificationActorCVESpoofableVPNFirst SeenLast Seen
71.6.135.131benignShodan.ioCVE-1999-0526,
CVE-2013-6117,
CVE-2019-0708
falsefalse2017-09-202021-02-03

Next Page Token:#

DnF1ZXJ5VGhlbkZldGNoBQAAAAAcV1_HFkFKSExEdUc4VEtta2

To view the detailed query result please click here.

greynoise-stats#


Get aggregate statistics for the top organizations, actors, tags, ASNs, countries, classifications, and operating systems of all the results of a given GNQL query.

Base Command#

greynoise-stats

Input#

Argument NameDescriptionRequired
classificationClassification of the device like unknown, benign, malicious. Possible values are: unknown, benign, malicious.Optional
spoofableWhether the IP is spoofable or not. Possible values are: true, false.Optional
actorThe benign actor the device has been associated with.Optional
sizeMaximum amount of results to grab. Default is 10.Optional
advanced_queryGNQL query to filter records.
Note: It merges other arguments and takes higher precedence over the same argument if supplied.
Example:
malicious,
spoofable:false SSH Scanner,
spoofable:false classification:benign tags:POP3 Scanner cve:CVE-2010-0103.
Optional
last_seenThe date the device was most recently observed by GreyNoise. Example: 1d, 2d, 12h, or 1m.Optional
organizationThe organization that owns the network that the IP address belongs to.Optional

Context Output#

PathTypeDescription
GreyNoise.Stats.querystringThe query which was used to filter the records.
GreyNoise.Stats.countnumberCount of total aggregated records.
GreyNoise.Stats.stats.classifications.classificationstringClassification name.
GreyNoise.Stats.stats.classifications.countnumberClassification count.
GreyNoise.Stats.stats.spoofable.spoofablebooleanWhether records are spoofable or not.
GreyNoise.Stats.stats.spoofable.countnumberSpoofable count.
GreyNoise.Stats.stats.organizations.organizationstringOrganization name.
GreyNoise.Stats.stats.organizations.countnumberOrganization count.
GreyNoise.Stats.stats.actors.actorstringActor name.
GreyNoise.Stats.stats.actors.countnumberActor count.
GreyNoise.Stats.stats.countries.countrystringCountry name.
GreyNoise.Stats.stats.countries.countnumberCountry count.
GreyNoise.Stats.stats.tags.tagstringTag name.
GreyNoise.Stats.stats.tags.countnumberTag count.
GreyNoise.Stats.stats.operating_systems.operating_systemstringOperating system name.
GreyNoise.Stats.stats.operating_systems.countnumberOperating system count.
GreyNoise.Stats.stats.categories.categorystringCategory name.
GreyNoise.Stats.stats.categories.countnumberCategory count.
GreyNoise.Stats.stats.asns.asnstringAsn name.
GreyNoise.Stats.stats.asns.countnumberAsn count.

Command Example#

!greynoise-stats spoofable=true size=2 advanced_query="spoofable:false

Human Readable Output#

Stats#

Query: spoofable:false Count: 2846548#

Classifications#

ClassificationCount
unknown1838719
malicious998758

Spoofable#

SpoofableCount
False2846548

Organizations#

OrganizationCount
CHINA UNICOM China169 Backbone252542
CHINANET-BACKBONE244599

Actors#

ActorCount
GoogleBot2202

Countries#

CountryCount
China562209
Iran376353

Tags#

TagCount
SMB Scanner592090
Web Scanner578058

Operating Systems#

Operating SystemCount
Linux 2.2-3.x1202422
Windows 7/8727215

Categories#

CategoryCount
isp2263259
mobile348306

ASNs#

ASNCount
AS4837252542
AS4134244603

greynoise-riot#


Identify IPs from known benign services and organizations that commonly cause false positives in network security and threat intelligence products. The collection of IPs in RIOT is continually curated and verified to provide accurate results. These IPs are extremely unlikely to pose a threat to your network.

Base Command#

greynoise-riot

Input#

Argument NameDescriptionRequired
ipThe IP address to be checked if it is potentially harmful or not.Required

Context Output#

PathTypeDescription
GreyNoise.Riot.ipstringThe IP given to check riot information about.
GreyNoise.Riot.riotstringThe riot of the IP. "True" or "False"
GreyNoise.Riot.categorystringThe category of the IP if riot is "True".
GreyNoise.Riot.namestringThe name of the IP if the riot is "True".
GreyNoise.Riot.descriptionstringThe description of the IP if riot is "True".
GreyNoise.Riot.explanationdateThe explanation of the IP if riot is "True".
GreyNoise.Riot.last_updatedstringThe last updated time of the IP if the riot is "True".
GreyNoise.Riot.referencestringThe reference of the IP if riot is "True".

Command Example#

!greynoise-riot ip="8.8.8.8"

Human Readable Output#

Benign IP#

IPRIOTCategoryNameDescriptionLast Updated
8.8.8.8truepublic_dnsGoogle Public DNSGoogle's global domain name system (DNS) resolution service.2021-04-12T05:55:35Z

!greynoise-riot ip="114.119.130.178"

Human Readable Output#

Potentially Harmful IP#

IPRIOT
114.119.130.178false