Integration Overview: Anomali ThreatStream

Install From MarketPlace

From the ThreatStream Interface, go to Settings -> Integrations. Search for GreyNoise and select the Install option.

GreyNosie Enrichment Integration within ThreatStreamGreyNosie Enrichment Integration within ThreatStream

GreyNosie Enrichment Integration within ThreatStream

Configure an Instance of the GreyNoise Integration

Once Installed, Click the Setup Up Button, then click "I have already registered".

GreyNoise Setup Dialog in ThreatStreamGreyNoise Setup Dialog in ThreatStream

GreyNoise Setup Dialog in ThreatStream

Enter a GreyNoise API Key and enter an API Type (enter either "enterprise" or "community", then press the Activate button

Setup Dialog for entering GreyNoise API KeySetup Dialog for entering GreyNoise API Key

Setup Dialog for entering GreyNoise API Key

If the activation is successful, ThreatStream will display a Green success notification. If there are any issues, please contact [email protected]

📘

Community API Type with Invalid Key

When configuring the integration, if an API type of "community" is entered, the API key will not be validated. Rather, if the API is not valid, the integration will revert to doing unauthenticated lookups via the Community API.

Performing an On-Demand IP Lookup

Once the GreyNoise enrichment is enabled, ThreatStream will automatically query the GreyNoise Context API and provide results for all public IPv4 observables. If the IP address is part of the GreyNoise dataset, the details will be displayed:

GreyNoise Context Details in ThreatStreamGreyNoise Context Details in ThreatStream

GreyNoise Context Details in ThreatStream

GreyNoise Context Details in ThreatStreamGreyNoise Context Details in ThreatStream

GreyNoise Context Details in ThreatStream

GreyNoise Context Details in ThreatStreamGreyNoise Context Details in ThreatStream

GreyNoise Context Details in ThreatStream

IPs that are RIOT

If an IP is found in the GreyNoise RIOT data set, ThreatStream will provide the following information:

IPs that are NOISE and RIOT

If an IP is found in the GreyNoise NOISE and RIOT datasets, ThreatStream will provide the following information:

IPs that are Not Noise

If an IP is not found in the GreyNoise data set, ThreatStream will provide an indicator that this is the case:

ThreatStream indicating IP not in GreyNoise datasetThreatStream indicating IP not in GreyNoise dataset

ThreatStream indicating IP not in GreyNoise dataset

IPs queried via the Community API

The GreyNoise Community API returns a subset of information. When an IP is found in the GreyNoise community API, it will display as:

Performing a Pivot-Based (right-click) Lookup

To query an IP in GreyNoise from the canvas, right-click on an IPv4 address, then select the "Search IP" action from the GreyNoise enrichments menu:

The enrichment will add additional tags and other information to the canvas, based on the response from GreyNoise and if the Enterprise or Community API is being used:


Did this page help you?