From the Automation -> Connector view, click the tab for the Connector Store. Use the magnifying glass icon to search for "greynoise" to find the connector. Click on the "GreyNoise" connector then click the "Install" button from the connector details display.
From the Connector Details, on the Configurations tab, add a new connector configuration.
- Configuration Name = Enter a name for this configuration
- Mark a Default = Select this checkbox if you want this to be your default configuration for this connector
- API Key Type = Select either "enterprise" or "community" based on your API Key type. If you have a paid subscription, use "enterprise". If you are using a free community account, select "community"
- API Key = Press the Set API Key button and enter your GreyNoise API Key
Successful Health Check
If the configuration is valid and the API has validated the Health Check and Configuration boxes under Select Configuration will show "completed" and "available"
The GreyNoise connector provides a variety of On-Demand Actions that can be executed from the context of an Alert or an Incident and can be added to Playbooks as needed.
Community API (Free) Users
For those users with Community (Free) API access only, the only action available will be the Lookup GreyNoise IP Community Information. All other actions will fail with an access denied error.
Sample - GreyNoise - 2.0.0 playbook collection includes a sample playbook
GreyNoise IP Full Lookup which can be used directly or modified to fit use case needs. This playbook takes in a defined IP address field based on the context it is used and performs a Full GreyNoise IP lookup, which queries Noise, RIOT, and Metadata endpoints to include all data GreyNoise has on an IP.
To use this playbook, copy the template, then update the "IP Address" field in the
GreyNoise Full IP Lookup action to pull the IP to be queried from the appropriate context.
Alerting for a monitoring CIDR block can be set up by using two of the included Playbooks and setting them to execute on a Schedule in FortiSOAR. Start by copying the
Fetch Alerts from GreyNoise and
Generate GreyNoise Record playbooks from the
Sample - GreyNoise - 2.0.0 playbook collection.
Within the copied version of the
Fetch Alerts from GreyNoise playbook, modify the
Run Query for Monitored CIDR Block action and update the Query Input to include the Alert query to run. Generally, this will follow the format
126.96.36.199/16 spoofable:false last_seen:1d where the CIDR block is updated to the desired to be monitored. Additionally, the CIDR block can be replaced with exact IP addresses using the format
(188.8.131.52 OR 184.108.40.206 OR 220.127.116.11) spoofable:false last_seen:1d).
Now Modify the
Generate GreyNoise Record playbook to update the record details in the
Create GreyNoise Alert action to match your desired Alert details.
With both playbooks modified, navigate to the Automations -> Schedules view and click
Create New Schedule. Provide a name for the schedule, and select your copied
Fetch Alerts from GreyNoise playbook, then set the Frequency to once per day at a time of your choosing.
This set of actions will then generate an Alert for any IP discovered scanning the internet in the monitored configuration.
Updated about 1 year ago