Ensure that MISP is running the lastest commit from the misp-modules Github
Current GreyNoise Module Version
The current version of the GreyNoise misp-module is v1.1. Ensure this is the version enabled in your MISP instance to use the features outlined below.
Navigate to the Server Settings & Maintenance menu in MISP, then select Plugin Settings. Expand the Enrichment section and search for "greynoise".
- Plugin.Enrichment_greynoise_enabled = set to true
- Plugin.Enrichment_greynoise_restrict = select an Org if you wish to restrict access
- Plugin.Enrichment_greynoise_api_key = enter a GreyNoise API Key
- Plugin.Enrichment_greynoise_api_type = enter
communitypending on API Key type
From the Event Details view, select the magnifying glass icon next to an IP indicator to pull details from GreyNoise on that IP.
Indicator must be of type "ip-src" or "ip-dst'
When adding an IP indicator as an attribute to an event, the attribute must be of type "ip-src" or "ip-dst" for the module to function.
From the Event Details view, select the magnifying glass icon next to a CVE indicator to pull details from GreyNoise on that CVE. Scanning details for the last 7 days are displayed.
Indicator must be of type "vulnerability"
When adding a CVE indicator as an attribute to an event, the attribute must be of type "vulnerability" for the module to function.
CVE Lookup Requires Enterprise (Paid) API Access
The CVE query function of the module will only work when an Enterprise (Paid) API Key and the "enterprise" API Key Type are enabled in the module settings. Those users with Community level access will only have access to the IP lookup functionality.
Updated about 2 months ago