Integration Overview: MISP

Install From GitHub

Ensure that MISP is running the lastest commit from the misp-modules Github

๐Ÿ“˜

Current GreyNoise Module Version

The current version of the GreyNoise misp-module is v1.2. Ensure this version is enabled in your MISP instance to use the features outlined below.

Configure Plugin Settings

Navigate to the Server Settings & Maintenance menu in MISP, then select Plugin Settings. Expand the Enrichment section and search for "greynoise".

Settings:

  • Plugin.Enrichment_greynoise_enabled = set to true
  • Plugin.Enrichment_greynoise_restrict = select an Org if you wish to restrict access
  • Plugin.Enrichment_greynoise_api_key = enter a GreyNoise API Key
  • Plugin.Enrichment_greynoise_api_type = enter enterprise or community pending on API Key type
1208

Enter GreyNoise module settings to enable the module.

Performing an Enrich IP Lookup

โ—๏ธ

Enrich Action requires v1.2 of the module and greynoise-ip object

In order for the GreyNoise enrich action to return data on each event, v1.2 of the module needs to be installed, and the greynoise-ip Object needs to be installed: https://github.com/MISP/misp-objects/tree/main/objects/greynoise-ip

From the Event Details page, select the Enrich Event option.

433

Event details page, Enrich Event function.

From the list of available enrichments, select the greynoise option then push the enrich button.

364

Enrichment selection dialog box.

Once the enrichment process finishes, each IP on the event will contain the greynoise-ip enrichment information. Additional details on an IP can be found by using the Hover enrichment below.

1491

GreyNoise enrichment data output.

Performing an Hover IP Lookup

From the Event Details view, select the magnifying glass icon next to an IP indicator to pull details from GreyNoise on that IP.

1070

Click the magnifying glass next to the IP indicator to query the GreyNoise module.

IP Response with Enterprise (Paid) API Enabled

1280

GreyNoise IP Details from Enterprise (Paid) API

IP Response with Community (Free) API Enabled

602

GreyNoise IP Details from Community (Free) API

๐Ÿ“˜

Indicator must be of type "ip-src" or "ip-dst'

When adding an IP indicator as an attribute to an event, the attribute must be of type "ip-src" or "ip-dst" for the module to function.

Performing an Hover CVE Query

From the Event Details view, select the magnifying glass icon next to a CVE indicator to pull details from GreyNoise on that CVE. Scanning details for the last 7 days are displayed.

878

Click the magnifying glass next to the CVE indicator to query the GreyNoise module.

๐Ÿ“˜

Indicator must be of type "vulnerability"

When adding a CVE indicator as an attribute to an event, the attribute must be of type "vulnerability" for the module to function.

851

๐Ÿ“˜

CVE Lookup Requires Enterprise (Paid) API Access

The CVE query function of the module will only work when an Enterprise (Paid) API Key and the "enterprise" API Key Type are enabled in the module settings. Those users with Community level access will only have access to the IP lookup functionality.