Skip to main content

GreyNoise Community

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

GreyNoise tells security analysts what not to worry about. We do this by curating data on IPs that saturate security tools with noise. This unique perspective helps analysts confidently ignore irrelevant or harmless activity, creating more time to uncover and investigate true threats. The Action allows IP enrichment via the GreyNoise Community API.

This Integration is design specifically for GreyNoise Community users and only provides the subset of intel available via the GreyNoise Community API.
The GreyNoise Integration should be used by customers with a paid subscription to GreyNoise.

This integration was integrated and tested with version 0.8.0 of GreyNoise Python SDK. Supported Cortex XSOAR versions: 5.5.0 and later.

Configure GreyNoise on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for GreyNoise Community.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    api_keyGreyNoise API KeyTrue
    proxyUse system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

greynoise-community-lookup#


Queries IPs in the GreyNoise Community API.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipList of IPs.Required

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
IP.addressstringIP address.
IP.Malicious.DescriptionstringDescription of Malicious IP.
IP.Malicious.VendorstringVendor Identifying IP as Malicious.
GreyNoise.IP.addressstringThe IP address of the scanning device IP.
GreyNoise.IP.classificationstringWhether the device has been categorized as unknown, benign, or malicious.
GreyNoise.IP.last_seendateThe date the device was last observed by GreyNoise. Format is ISO8601.
GreyNoise.IP.linkstringLink to the GreyNoise Visualizer record.
GreyNoise.IP.noisebooleanHas the IP been seen scanning the Internet
GreyNoise.IP.riotbooleanIs the IP part of a known benign service
GreyNoise.IP.namestringThe overt actor the device has been associated with.
GreyNoise.IP.messagestringAdditional Information from API.

Command Example#

!greynoise-community-lookup ips=1.2.3.4

Human Readable Output#

IP: 71.6.135.131 found with Reputation: Good#

GreyNoise Community IP Response#

IPNoiseRIOTClassificationNameLinkLast Seen
71.6.135.131truefalsebenignShodan.iohttps://viz.greynoise.io/ip/71.6.135.1312021-02-03