GreyNoise

TIP Integration Overview: MISP

Suggest Edits

Install Enrichment Integration

Install From GitHub

Ensure that MISP is running the lastest commit from the misp-modules Github

πŸ“˜

Current GreyNoise Module Version

The current version of the GreyNoise misp-module is v1.2. Ensure this version is enabled in your MISP instance to use the features outlined below.

Configure Plugin Settings

Navigate to the Server Settings & Maintenance menu in MISP, then select Plugin Settings. Expand the Enrichment section and search for "greynoise".

Settings:

  • Plugin.Enrichment_greynoise_enabled = set to true
  • Plugin.Enrichment_greynoise_restrict = select an Org if you wish to restrict access
  • Plugin.Enrichment_greynoise_api_key = enter a GreyNoise API Key
  • Plugin.Enrichment_greynoise_api_type = enter enterprise or community pending on API Key type
1208

Enter GreyNoise module settings to enable the module.

Performing an Enrich IP Lookup

❗️

Enrich Action requires v1.2 of the module and greynoise-ip object

In order for the GreyNoise enrich action to return data on each event, v1.2 of the module needs to be installed, and the greynoise-ip Object needs to be installed: https://github.com/MISP/misp-objects/tree/main/objects/greynoise-ip

From the Event Details page, select the Enrich Event option.

433

Event details page, Enrich Event function.

From the list of available enrichments, select the greynoise option then push the enrich button.

364

Enrichment selection dialog box.

Once the enrichment process finishes, each IP on the event will contain the greynoise-ip enrichment information. Additional details on an IP can be found by using the Hover enrichment below.

1491

GreyNoise enrichment data output.

Performing an Hover IP Lookup

From the Event Details view, select the magnifying glass icon next to an IP indicator to pull details from GreyNoise on that IP.

1070

Click the magnifying glass next to the IP indicator to query the GreyNoise module.

IP Response with Enterprise (Paid) API Enabled

1280

GreyNoise IP Details from Enterprise (Paid) API

IP Response with Community (Free) API Enabled

602

GreyNoise IP Details from Community (Free) API

πŸ“˜

Indicator must be of type "ip-src" or "ip-dst'

When adding an IP indicator as an attribute to an event, the attribute must be of type "ip-src" or "ip-dst" for the module to function.

Performing an Hover CVE Query

From the Event Details view, select the magnifying glass icon next to a CVE indicator to pull details from GreyNoise on that CVE. Scanning details for the last 7 days are displayed.

878

Click the magnifying glass next to the CVE indicator to query the GreyNoise module.

πŸ“˜

Indicator must be of type "vulnerability"

When adding a CVE indicator as an attribute to an event, the attribute must be of type "vulnerability" for the module to function.

πŸ“˜

CVE Lookup Requires Enterprise (Paid) API Access

The CVE query function of the module will only work when an Enterprise (Paid) API Key and the "enterprise" API Key Type are enabled in the module settings. Those users with Community level access will only have access to the IP lookup functionality.

Install Feed Script Integration

GreyNoise does not currently support the official method used by MISP to pull in a list of indicators as a feed. However, the below steps allow for this to be accomplished by:

  • Installing Python Script to collect indicators to a file on the MISP host
  • Setting up a CRON job to run the script daily
  • Configuring a Freetext Parsed Feed from local File

Creating and testing the Python Script

The following script requires the GreyNoise python module to be installed on the local system along with a supported version of python3.

To install the module, run:

pip3 install greynoise

Create a folder for the GreyNoise python script and output files:

mkdir /home/misp/greynoise

In the folder, create a file name greynoise-misp-feed.py and use the following content:

import datetime
import os
import logging

from greynoise import GreyNoise

GN_API_KEY = os.environ.get("GN_API_KEY")
session = GreyNoise(api_key=GN_API_KEY, integration_name="misp-feed-script-v1")


queries = ["classification:benign last_seen:1d", "classification:malicious last_seen:1d"]
error = ""

for query in queries:
    print(f"Building indicator list for query: {query}")
    if "benign" in query:
        file_name = open("gn_feed_benign.txt", "w")
    elif "malicious" in query:
        file_name = open("gn_feed_malicious.txt", "w")
    else:
        file_name = open("gn_feed_other.txt", "w")
    print(f"Outputting to file: {file_name}")
    try:
        print("Querying GreyNoise API")
        response = session.query(query=query, exclude_raw=True)
    except Exception as e:
        error = f"GreyNoise API connection failure, error {e}"
        print(error)

    if response["count"] == 0 or len(response["data"]) == 0:
        error = "GreyNoise API query returned no data"
        print(error)
    else:
        data = response["data"]
        print("Processing first page of query results")
        scroll = response["scroll"]
        for item in data:
            file_name.write(str(item["ip"]) + "\n")
        while scroll:
            print("Querying for next page of results")
            response = session.query(query=query, scroll=scroll, exclude_raw=True)
            data = response["data"]
            print("Processing next page of results")
            for item in data:
                file_name.write(str(item["ip"]) + "\n")
            scroll = response["scroll"] if "scroll" in response else False

πŸ“˜

Update Feed Selection

By default, the above script collects both the benign and malicious feeds. Ensure that an appropriate scription is inplace for your account or update the query list to only include the appropriate feed query, as noted: Using GreyNoise as a Feed

The script relies on your GreyNoise API key to be set as an environment variable with the key GN_API_KEY so be sure to set it using the following:

export GN_API_KEY="your-key-here"

Test the script by running the following command:

python3 greynoise-misp-feed.py

If the script is working correctly, an output file will be created with the list of IPs. A separate file will be created for the benign vs. malicious feed list:

Creating the daily execution schedule

To have the file(s) updated daily, create a CRON job to run the script on a schedule:

crontab -e

Add to the file:

0 23 * * * /usr/bin/python3 /home/misp/greynoise/greynoise-misp-feed.py

This will run the script at 11 PM UTC every day

Creating the feed import in the MISP UI

Within the MISP UI, go to the Sync Actions menu and select List Feeds

Use the Add Feed option from the right navigation bar:

Configure the Feed with the following settings (replace benign with malicious when/where necessary):

Scheduling the daily import into MISP

MISP provides two methods to auto-import feeds:

  • Use the Scheduled Tasks option. However, this will import all feeds that are enabled on the system.
  • Use the console automation commands to run the Fetch Feed command on the system, using something similar to crontab:
/var/www/MISP/app/Console/cake Server fetchFeed 1 74

Updated about 2 months ago