TIP Integration Overview: ThreatQ
Install From MarketPlace
Navigate to the ThreatQ Marketplace and search for GreyNoise LINK
GreyNoise integrations on the ThreatQ marketplace
There are currently three Integration options:
- GreyNoise CDF - contains two Feed options
- GreyNoise CDF - used to pull a feed of GreyNoise indicators into ThreatQ
- GreyNoise Enrichment CDF - used to bulk enrich IP indicators saved in a Data Collection
- GreyNoise Operation - used to enrich any routable IP within ThreatQ as an on-demand operation
- GreyNoise Community Operation - used to enrich any routable IP within ThreatQ as an on-demand operation using the GreyNoise Community API
Install the Integrations
Within ThreatQ, on the My Integrations page, click the Add Integration button, and upload the integration files for each of the integrations that are needed.
ThreatQ Add Integrations Dialog
Configure the Integrations
GreyNoise CDF
To configure the CDF, configure the information for the query to use, enter your GreyNoise API key, then ensure the integration is enabled. It is recommended that this be a Daily Feed.
GreyNoise CDF configuration options
Beware of GNQL Query Limits
The GreyNoise CDF uses the GNQL API endpoint. Ensure that any configured queries for this enrichment are pulling indicators that are within current subscription limits. If it is not clear what those limits are, please contact [email protected]
Once enabled, GreyNoise indicator should now appear in the Indicators section, tagged with GreyNoise as the source.
Sample of imported indicators from GreyNoise
GreyNoise Enrichment CDF
Before configuring the Enrichment CDF, be sure to create a Data Collection of indicators to be monitored. An example of this would be a data collection for non-GreyNoise sources with IPv4 addresses. This will auto enrich all of those IPs within the data collection with GreyNoise enrichment information.
Data Collection for CDF Enrichment
To configure the Enrichment CDF, configure the Data Collection Hash (which can be pulled from the ThreatQ URL when viewing the Data Collection), the GN API Key, and other options. It is recommended that this be a Daily Feed.
GreyNoise Enrichment CDF configuration options
Once enabled, the indicators that are in the Data Collection will be updated with GreyNoise enrichment attributes.
Data Collection IP Indicator with GreyNoise Enrichment
GreyNoise Operation
To configure the GreyNoise Operation, enter your GreyNoise API key, then ensure the integration is enabled.
GreyNoise Community Operation
To configure the GreyNoise Community Operation, ensure the integration is enabled. At this time, no API key is required to enable this operation.
GreyNoise Community Operation configuration options
Performing an On-Demand IP Lookup
GreyNoise Operation
From any IP indicator, select the GreyNoise operation to fetch the details on what information the GreyNoise Subscription APIs provides on this IP.
GreyNoise Community Operation
From any IP indicator, select the GreyNoise Community operation to fetch the details on what information the GreyNoise Community API provides on this IP.
GreyNoise Community operation IP lookup results
Updated 7 months ago