Integration Overview: MISP

Install From GitHub

Ensure that MISP is running the lastest commit from the misp-modules Github

📘

Current GreyNoise Module Version

The current version of the GreyNoise misp-module is v1.1. Ensure this is the version enabled in your MISP instance to use the features outlined below.

Configure Plugin Settings

Navigate to the Server Settings & Maintenance menu in MISP, then select Plugin Settings. Expand the Enrichment section and search for "greynoise".

Settings:

  • Plugin.Enrichment_greynoise_enabled = set to true
  • Plugin.Enrichment_greynoise_restrict = select an Org if you wish to restrict access
  • Plugin.Enrichment_greynoise_api_key = enter a GreyNoise API Key
  • Plugin.Enrichment_greynoise_api_type = enter enterprise or community pending on API Key type
Enter GreyNoise module settings to enable the module.Enter GreyNoise module settings to enable the module.

Enter GreyNoise module settings to enable the module.

Performing an On-Demand IP Lookup

From the Event Details view, select the magnifying glass icon next to an IP indicator to pull details from GreyNoise on that IP.

Click the magnifying glass next to the IP indicator to query the GreyNoise module.Click the magnifying glass next to the IP indicator to query the GreyNoise module.

Click the magnifying glass next to the IP indicator to query the GreyNoise module.

IP Response with Enterprise (Paid) API Enabled

GreyNoise IP Details from Enterprise (Paid) APIGreyNoise IP Details from Enterprise (Paid) API

GreyNoise IP Details from Enterprise (Paid) API

IP Response with Community (Free) API Enabled

GreyNoise IP Details from Community (Free) APIGreyNoise IP Details from Community (Free) API

GreyNoise IP Details from Community (Free) API

📘

Indicator must be of type "ip-src" or "ip-dst'

When adding an IP indicator as an attribute to an event, the attribute must be of type "ip-src" or "ip-dst" for the module to function.

Performing an On-Demand CVE Query

From the Event Details view, select the magnifying glass icon next to a CVE indicator to pull details from GreyNoise on that CVE. Scanning details for the last 7 days are displayed.

Click the magnifying glass next to the CVE indicator to query the GreyNoise module.Click the magnifying glass next to the CVE indicator to query the GreyNoise module.

Click the magnifying glass next to the CVE indicator to query the GreyNoise module.

📘

Indicator must be of type "vulnerability"

When adding a CVE indicator as an attribute to an event, the attribute must be of type "vulnerability" for the module to function.

📘

CVE Lookup Requires Enterprise (Paid) API Access

The CVE query function of the module will only work when an Enterprise (Paid) API Key and the "enterprise" API Key Type are enabled in the module settings. Those users with Community level access will only have access to the IP lookup functionality.


Did this page help you?