TIP Integration Overview: Anomali ThreatStream
Malicious IP Feed
Install from App Store
From the ThreatStream App Store, search for the GreyNoise Premium Feed and Click Get Access.
GreyNoise Premium Feed card in App Store
Click "I have Credentials" on the configuration screen, enter your GreyNoise API key, and then click activate.
GreyNoise Feed credential configuration dialog
This Feed updates once per day.
The Feed requires an active GreyNoise subscription with Feed access. A 14-Day Free trial is available for existing customers and for new customers that start a GreyNoise Trial.
Sample Observable
The following shows a sample of an observable that was created by the Feed. It includes the classification information, source country, and CVE information provided by GreyNoise as tags.
Sample of observable provided by GreyNoise Feed
Enrichment
Install From AppStore
From the ThreatStream Interface, go to the App Store. Search for GreyNoise and select the Get Access option.
GreyNoise Premium Enrichment card in App Store
Configure Credentials
Click "I have credentials" to configure the enrichment
GreyNoise Setup Dialog in ThreatStream
Enter a GreyNoise API Key and enter an API Type (enter either "enterprise" or "community", then press the Activate button
Setup Dialog for entering GreyNoise API Key
If the activation is successful, ThreatStream will display a Green success notification. If there are any issues, please contact [email protected]
Community API Type with Invalid Key
When configuring the integration, if an API type of "community" is entered, the API key will not be validated. Rather, if the API is not valid, the integration will revert to doing unauthenticated lookups via the Community API.
Performing an On-Demand IP Lookup
Once the GreyNoise enrichment is enabled, ThreatStream will automatically query the GreyNoise Context API and provide results for all public IPv4 observables. If the IP address is part of the GreyNoise dataset, the details will be displayed on the IP Details tab:
GreyNoise Context Details in ThreatStream
GreyNoise Context Details in ThreatStream
GreyNoise Context Details in ThreatStream
IPs that are RIOT
If an IP is found in the GreyNoise RIOT data set, ThreatStream will provide the following information:
GreyNoise RIOT IP in ThreatStream
IPs that are NOISE and RIOT
If an IP is found in the GreyNoise NOISE and RIOT datasets, ThreatStream will provide the following information:
GreyNoise Noise and RIOT IP in ThreatStream
IPs that are Not Noise
If an IP is not found in the GreyNoise data set, ThreatStream will provide an indicator that this is the case:
ThreatStream indicating IP not in GreyNoise dataset
IPs queried via the Community API
The GreyNoise Community API returns a subset of information. When an IP is found in the GreyNoise Community API, it will display as:
GreyNoise IP Data for users with Community access
IP Similarity Information
For those users with access to the IP Simiarlity function in GreyNoise, click on the IP Similarity Details tab to view the observables within GreyNoise that present a similar scanning profile.
Results from GreyNoise IP Similarity tool
IP Timeline Information
For those users with access to the IP Timeline function in GreyNoise, click on the IP Timeline Details tab to view a daily view of scanning activity.
Greyoise IP Timeline Details
GreyNoise IP Timeline Graph for Classification, rDNS, and ASN changes
Performing a Pivot-Based (right-click) Lookup
To query an IP in GreyNoise from the canvas, right-click on an IPv4 address, then select the "Search IP" action from the GreyNoise enrichments menu:
The enrichment will add additional tags and other information to the canvas, based on the response from GreyNoise and if the Enterprise or Community API is being used:
Updated 4 months ago