Integration Overview: ThreatQ

Install From MarketPlace

Navigate to the ThreatQ Marketplace and search for GreyNoise LINK

GreyNoise integrations on the ThreatQ marketplaceGreyNoise integrations on the ThreatQ marketplace

GreyNoise integrations on the ThreatQ marketplace

There are currently three Integration options:

  • GreyNoise CDF - contains two Feed options
    • GreyNoise CDF - used to pull a feed of GreyNoise indicators into ThreatQ
    • GreyNoise Enrichment CDF - used to bulk enrich IP indicators saved in a Data Collection
  • GreyNoise Operation - used to enrich any routable IP within ThreatQ as an on-demand operation
  • GreyNoise Community Operation - used to enrich any routable IP within ThreatQ as an on-demand operation using the GreyNoise Community API

Install the Integrations

Within ThreatQ, on the My Integrations page, click the Add Integration button, and upload the integration files for each of the integrations that are needed.

ThreatQ Add Integrations DialogThreatQ Add Integrations Dialog

ThreatQ Add Integrations Dialog

Configure the Integrations

GreyNoise CDF

To configure the CDF, configure the information for the query to use, enter your GreyNoise API key, then ensure the integration is enabled. It is recommended that this be a Daily Feed.

GreyNoise CDF configuration optionsGreyNoise CDF configuration options

GreyNoise CDF configuration options

❗️

Beware of GNQL Query Limits

The GreyNoise CDF uses the GNQL API endpoint. Ensure that any configured queries for this enrichment are pulling indicators that are within current subscription limits. If it is not clear what those limits are, please contact [email protected]

Once enabled, GreyNoise indicator should now appear in the Indicators section, tagged with GreyNoise as the source.

Sample of imported indicators from GreyNoiseSample of imported indicators from GreyNoise

Sample of imported indicators from GreyNoise

GreyNoise Enrichment CDF

Before configuring the Enrichment CDF, be sure to create a Data Collection of indicators to be monitored. An example of this would be a data collection for non-GreyNoise sources with IPv4 addresses. This will auto enrich all of those IPs within the data collection with GreyNoise enrichment information.

Data Collection for CDF EnrichmentData Collection for CDF Enrichment

Data Collection for CDF Enrichment

To configure the Enrichment CDF, configure the Data Collection Hash (which can be pulled from the ThreatQ URL when viewing the Data Collection), the GN API Key, and other options. It is recommended that this be a Daily Feed.

GreyNoise Enrichment CDF configuration optionsGreyNoise Enrichment CDF configuration options

GreyNoise Enrichment CDF configuration options

Once enabled, the indicators that are in the Data Collection will be updated with GreyNoise enrichment attributes.

Data Collection IP Indicator with GreyNoise EnrichmentData Collection IP Indicator with GreyNoise Enrichment

Data Collection IP Indicator with GreyNoise Enrichment

GreyNoise Operation

To configure the GreyNoise Operation, enter your GreyNoise API key, then ensure the integration is enabled.

GreyNoise Community Operation

To configure the GreyNoise Community Operation, ensure the integration is enabled. At this time, no API key is required to enable this operation.

GreyNoise Community Operation configuration optionsGreyNoise Community Operation configuration options

GreyNoise Community Operation configuration options

Performing an On-Demand IP Lookup

GreyNoise Operation

From any IP indicator, select the GreyNoise operation to fetch the details on what information the GreyNoise Subscription APIs provides on this IP.

GreyNoise Community Operation

From any IP indicator, select the GreyNoise Community operation to fetch the details on what information the GreyNoise Community API provides on this IP.

GreyNoise Community operation IP lookup resultsGreyNoise Community operation IP lookup results

GreyNoise Community operation IP lookup results


Did this page help you?