Integration Overview: MISP
Install From GitHub
Ensure that MISP is running the lastest commit from the misp-modules Github
Current GreyNoise Module Version
The current version of the GreyNoise misp-module is v1.2. Ensure this version is enabled in your MISP instance to use the features outlined below.
Configure Plugin Settings
Navigate to the Server Settings & Maintenance menu in MISP, then select Plugin Settings. Expand the Enrichment section and search for "greynoise".
Settings:
- Plugin.Enrichment_greynoise_enabled = set to true
- Plugin.Enrichment_greynoise_restrict = select an Org if you wish to restrict access
- Plugin.Enrichment_greynoise_api_key = enter a GreyNoise API Key
- Plugin.Enrichment_greynoise_api_type = enter
enterpriseorcommunitypending on API Key type
Enter GreyNoise module settings to enable the module.
Performing an Enrich IP Lookup
Enrich Action requires v1.2 of the module and greynoise-ip object
In order for the GreyNoise enrich action to return data on each event, v1.2 of the module needs to be installed, and the greynoise-ip Object needs to be installed: https://github.com/MISP/misp-objects/tree/main/objects/greynoise-ip
From the Event Details page, select the Enrich Event option.
Event details page, Enrich Event function.
From the list of available enrichments, select the greynoise option then push the enrich button.
Enrichment selection dialog box.
Once the enrichment process finishes, each IP on the event will contain the greynoise-ip enrichment information. Additional details on an IP can be found by using the Hover enrichment below.
GreyNoise enrichment data output.
Performing an Hover IP Lookup
From the Event Details view, select the magnifying glass icon next to an IP indicator to pull details from GreyNoise on that IP.
Click the magnifying glass next to the IP indicator to query the GreyNoise module.
IP Response with Enterprise (Paid) API Enabled
GreyNoise IP Details from Enterprise (Paid) API
IP Response with Community (Free) API Enabled
GreyNoise IP Details from Community (Free) API
Indicator must be of type "ip-src" or "ip-dst'
When adding an IP indicator as an attribute to an event, the attribute must be of type "ip-src" or "ip-dst" for the module to function.
Performing an Hover CVE Query
From the Event Details view, select the magnifying glass icon next to a CVE indicator to pull details from GreyNoise on that CVE. Scanning details for the last 7 days are displayed.
Click the magnifying glass next to the CVE indicator to query the GreyNoise module.
Indicator must be of type "vulnerability"
When adding a CVE indicator as an attribute to an event, the attribute must be of type "vulnerability" for the module to function.
CVE Lookup Requires Enterprise (Paid) API Access
The CVE query function of the module will only work when an Enterprise (Paid) API Key and the "enterprise" API Key Type are enabled in the module settings. Those users with Community level access will only have access to the IP lookup functionality.
Updated 3 months ago