GreyNoise

With the GreyNoise playbook app, you can look up IP addresses to validate if it was once involved with any mass automated activity. GreyNoise is an enrichment service that collects, analyzes, and labels data relating to noisy IP addresses across the internet. As part of the enrichment process, you can query GreyNoise and find that an offending IP address in your SIEM alert is not in the GreyNoise dataset; this means it's more likely to be targeted activity, and you can raise the priority of that alert. In other words, this integration can tell you what IPs not to worry about and what IPs are worth looking into deeper. This integration consists of a single Playbook app that will allow these actions:

• IP Lookup - Submit a single IP address to GreyNoise to validate whether or not it's part of mass automated activity.
• GNQL Query - Perform a custom query using the GreyNoise Query Language to retrieve IP addresses that match specified criteria.
• RIOT IP Lookup - Identify whether an IP is from known benign services and organizations that commonly cause false positives in network security and threat intelligence products.
• Advanced Request

This app can be found in the ThreatConnect App Catalog under the name: GreyNoise

The GreyNoise Community app provides a free resource that allows for quick IP lookups within the GreyNoise datasets. This integration consists of a single Playbook app that will allow these actions:

• IP Lookup - Query an IP via the Community API and see basic information on what GreyNoise knows about that IP.

This app can be found in the ThreatConnect App Catalog under the name: GreyNoise Community

The Polarity - Greynoise integration searches Greynoise data for IPs and CVEs related to internet scan and attack activity. Informing the user if an IP is related to malicious activity or if it is classified as a part of the Riot project. Also information users on what type of activity the IP is related to through Greynoise tags. With the Polarity - Greynoise integration, users get a quick picture on what an IP might be doing and how it will relate to your organization.

Examples

Greynoise Data Overview

• RIOT Summary Tags: RIOT is a Greynoise feature that are used to inform users of IPS related to common business services. The Summary tags quickly identify the IPs as RIOT with the associated company information. Informing the users that the IP is something that is benign and not worth investigating.
• Greynoise Summary: The summary is a quick synopsis of what is happening with the IP address. The summary is a part of every details view and will break down the IP if it is a malicious (see second screenshot) or a RIOT IP.
• Context Information: A quick view of additional information about the indicator. The context will vary depending on the classification of the IP address. In this instance for RIOT IPs you get context about when it was seen, the actor, if it was scanned and its classification.
• Description and Trust Level: Additional information about why Greynoise trusts the IP address and who the company is that owns the IP.
• Non-Riot Summary Tags: Quickly know what Greynoise classifies an IP as if it is not already categorized as RIOT. If there is malicious behavior occuring, quickly know what the IP is doing for example the IP in the screenshot is related to a Tor Exit Node. Finally get a quick understanding of different tags that Greynoise has associated with the IP.
• Tor Exit Node: Description on why the IP was classified as a Tor Exit Node.
• Tags: Greynoise tags that have been associated with the indicator.
• Metadata: Additional information associated with the indicator.