Integration Overview: ThreatQ

Install From MarketPlace

Navigate to the ThreatQ Marketplace and search for GreyNoise LINK

11521152

GreyNoise integrations on the ThreatQ marketplace

There are currently three Integration options:

  • GreyNoise CDF - contains two Feed options
    • GreyNoise CDF - used to pull a feed of GreyNoise indicators into ThreatQ
    • GreyNoise Enrichment CDF - used to bulk enrich IP indicators saved in a Data Collection
  • GreyNoise Operation - used to enrich any routable IP within ThreatQ as an on-demand operation
  • GreyNoise Community Operation - used to enrich any routable IP within ThreatQ as an on-demand operation using the GreyNoise Community API

Install the Integrations

Within ThreatQ, on the My Integrations page, click the Add Integration button, and upload the integration files for each of the integrations that are needed.

20042004

ThreatQ Add Integrations Dialog

Configure the Integrations

GreyNoise CDF

To configure the CDF, configure the information for the query to use, enter your GreyNoise API key, then ensure the integration is enabled. It is recommended that this be a Daily Feed.

10181018

GreyNoise CDF configuration options

❗️

Beware of GNQL Query Limits

The GreyNoise CDF uses the GNQL API endpoint. Ensure that any configured queries for this enrichment are pulling indicators that are within current subscription limits. If it is not clear what those limits are, please contact [email protected]

Once enabled, GreyNoise indicator should now appear in the Indicators section, tagged with GreyNoise as the source.

31103110

Sample of imported indicators from GreyNoise

GreyNoise Enrichment CDF

Before configuring the Enrichment CDF, be sure to create a Data Collection of indicators to be monitored. An example of this would be a data collection for non-GreyNoise sources with IPv4 addresses. This will auto enrich all of those IPs within the data collection with GreyNoise enrichment information.

10181018

Data Collection for CDF Enrichment

To configure the Enrichment CDF, configure the Data Collection Hash (which can be pulled from the ThreatQ URL when viewing the Data Collection), the GN API Key, and other options. It is recommended that this be a Daily Feed.

10181018

GreyNoise Enrichment CDF configuration options

Once enabled, the indicators that are in the Data Collection will be updated with GreyNoise enrichment attributes.

12151215

Data Collection IP Indicator with GreyNoise Enrichment

GreyNoise Operation

To configure the GreyNoise Operation, enter your GreyNoise API key, then ensure the integration is enabled.

GreyNoise Community Operation

To configure the GreyNoise Community Operation, ensure the integration is enabled. At this time, no API key is required to enable this operation.

19461946

GreyNoise Community Operation configuration options

Performing an On-Demand IP Lookup

GreyNoise Operation

From any IP indicator, select the GreyNoise operation to fetch the details on what information the GreyNoise Subscription APIs provides on this IP.

GreyNoise Community Operation

From any IP indicator, select the GreyNoise Community operation to fetch the details on what information the GreyNoise Community API provides on this IP.

25842584

GreyNoise Community operation IP lookup results


Did this page help you?