SOAR Integration Overview: XSOAR (Demisto)

Install From MarketPlace

To install the GreyNoise Content Pack within XSOAR, navigate to the Marketplace, search for GreyNoise then select Install from the Contact Pack Details page.

Configure an Instance of the GreyNoise Integration

To begin using the GreyNoise integration, browse to Integrations -> Servers & Services and search for GreyNoise within XSOAR. On the GreyNoise Integration item, click the Add Instance link then Enter a GreyNoise API key and test the connection.

Performing an On-Demand IP Lookup

From the XSOAR Playground, start by typing:

!greynoise

As list of available commands will be displayed. Select the greynoise-ip-quick-check option then enter the ip= input follow by one or more IPs to query:

Navigate to the Playground War Room to see the results of the lookup:

To do a full GreyNoise Context lookup, modify the command to be:
!greynoise !ip ip=x.x.x.x

To do a perform IP Timeline lookup, run a command similar to the following:

!greynoise-timeline ip="45.164.214.212" days="90" maximum_results="10"

To perform an IP Similarity search, run a command similar to the following:

!greynoise-similarity ip="59.88.225.2" minimum_score="95" maximum_results="10"

Playbooks

The XSOAR integration also includes some basic playbooks that can be used in conjunction with the GreyNoise lookup data. Here are some examples:

Calculate Severity for Egress Traffic - Can be used when determining severity of a Destination IP

Calculate Severity for Ingress Traffic- Can be used when determining severity of a Source IP

Calculate Severity - Includes flag for Ingress vs Egress to Trigger Above Workflows

Generic IP Enrichment Workflow