GreyNoise
Guides
Start typing to search…

TIP Integration Overview: OpenCTI

This guide explains how to configure the GreyNoise connector in OpenCTI to ingest IP indicators, enrich observables, apply classifications, and set up custom labels—helping analysts filter background internet noise.

Integration Overview

GreyNoise currently has built and supports three connectors for the OpenCTI platform:

Prerequisites

  • GreyNoise API Key + Enterprise Subscription
    • The IP Enrichment connector is supported with any paid subscription
    • The Feed connector requires at least an Advanced Platform License
    • The Vulnerability connector is support with any subscription; however, results are limited based on subscription level. For full results, a Vulnerability Intelligence data module is required.
  • OpenCTI 6.x or Higher

Install and Configure Connector(s)

Install IP Enrichment Connector via Docker

  • Add the following section to your Docker file:
  connector-greynoise:
    image: opencti/connector-greynoise:latest
    environment:
      - OPENCTI_URL=http://localhost
      - OPENCTI_TOKEN=ChangeMe
      - CONNECTOR_ID=ChangeMe
      - CONNECTOR_NAME=GreyNoise
      - CONNECTOR_SCOPE=IPv4-Addr
      - CONNECTOR_AUTO=true
      - CONNECTOR_LOG_LEVEL=error
      - GREYNOISE_KEY=ChangeMe
      - GREYNOISE_MAX_TLP=TLP:AMBER
      - GREYNOISE_SIGHTING_NOT_SEEN=false
    restart: always
  • The above sample sets the image to the latest version of the connector. You may wish to pin this to a specific version, such as opencti/connector-greynoise:6.6.18
  • Make sure to update values for opencti_url and openct_token to match your system's information, assuming this isn't already defined in your environment file. Also ensure a unique connector ID is defined for connector_id
  • By setting CONNECTOR_AUTO=true all IPv4 addresses imported into OpenCTI will be automatically enriched. If this needs to be a manual process, set this value to false
  • Make sure to update the value for greynoise_key to be your GreyNoise API key. You may wish to define this in your environment file for multiple connectors to use.

When using environment variables, the configuration file will reference those, such as follows:

- OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
- CONNECTOR_ID=${CONNECTOR_GREYNOISE_ID}
- GREYNOISE_KEY=${CONNECTOR_GREYNOISE_API_KEY}

Install Vulnerability Enrichment Connector via Docker

  • Add the following section to your Docker file:
  connector-greynoise-vuln:
    image: opencti/connector-greynoise-vuln:latest
    environment:
      - OPENCTI_URL=http://localhost
      - OPENCTI_TOKEN=ChangeMe
      - CONNECTOR_ID=ChangeMe
      - CONNECTOR_NAME=GreyNoise Vulnerablity
      - CONNECTOR_SCOPE=vulnerability
      - CONNECTOR_AUTO=true
      - CONNECTOR_LOG_LEVEL=error
      - GREYNOISE_KEY=ChangeMe
      - GREYNOISE_MAX_TLP=TLP:AMBER
      - "GREYNOISE_NAME=GreyNoise Internet Scanner"
      - "GREYNOISE_DESCRIPTION=GreyNoise collects and analyzes opportunistic scan and attack activity for devices connected directly to the Internet."
    restart: always
  • The above sample sets the image to the latest version of the connector. You may wish to pin this to a specific version, such as opencti/connector-greynoise-vuln:6.6.18
  • Make sure to update values for opencti_url and openct_token to match your system's information, assuming this isn't already defined in your environment file. Also, ensure a unique connector ID is defined for connector_id
  • By setting CONNECTOR_AUTO=true all CVE IDs imported into OpenCTI will be automatically enriched. If this needs to be a manual process, set this value to false
  • Make sure to update the value for greynoise_key to be your GreyNoise API key. You may wish to define this in your environment file for multiple connectors to use.

When using environment variables, the configuration file will reference those, such as follows:

- OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
- CONNECTOR_ID=${CONNECTOR_GREYNOISE_ID}
- GREYNOISE_KEY=${CONNECTOR_GREYNOISE_API_KEY}

Install Feed Connector via Docker

  • Add the following section to your Docker file:
  connector-greynoise-feed:
    image: opencti/connector-greynoise-feed:latest
    environment:
      - OPENCTI_URL=http://opencti:8080
      - OPENCTI_TOKEN=ChangeMe
      - CONNECTOR_ID=ChangeMe # Valid UUIDv4
      - CONNECTOR_TYPE=EXTERNAL_IMPORT
      - CONNECTOR_NAME=GreyNoiseFeed
      - CONNECTOR_SCOPE=greynoisefeed
      - CONNECTOR_LOG_LEVEL=error
      - GREYNOISE_API_KEY=ChangeMe
      - GREYNOISE_FEED_TYPE=malicious
      - GREYNOISE_LIMIT=250000
    restart: always
  • By default, the connector imports the "malicious" IP feed from GreyNoise. If a different feed is required, update greynoise_feed_type to one of the following values:
    • benign
    • malicious
    • suspicious
    • benign+malicious
    • malicious+suspicious
    • benign+suspicious+malicious
    • all
  • By default, the connector will download the feed list once every 24 hours. If a different interval is needed, add the value greynoisee_interval and provide it with an integer representing how many hours between runs are required.
  • By default, the connector will only import the first 10,000 indicators from the feed. To ingest more than that default limit, set the greynoise_limit variable to a higher value, such as 250000
  • The above sample sets the image to the latest version of the connector. You may wish to pin this to a specific version, such as opencti/connector-greynoise-vuln:6.6.18
  • Make sure to update values for opencti_url and openct_token to match your system's information, assuming this isn't already defined in your environment file. Also, ensure a unique connector ID is defined for connector_id
  • By setting CONNECTOR_AUTO=true all CVE IDs imported into OpenCTI will be automatically enriched. If this needs to be a manual process, set this value to false
  • Make sure to update the value for greynoise_key to be your GreyNoise API key. You may wish to define this in your environment file for multiple connectors to use.

When using environment variables, the configuration file will reference those, such as follows:

- OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
- CONNECTOR_ID=${CONNECTOR_GREYNOISE_ID}
- GREYNOISE_KEY=${CONNECTOR_GREYNOISE_API_KEY}

Running the Plugin(s)

Performing an Enrich IP Lookup

For an observable that is not yet enriched with GreyNoise Data, such as in the case when the GreyNoise enrichment connector is set to manual:

Click the Enrichment button and select GreyNoise from the enrichment options:

After the process completes, the observable will now include the enriched data:


Performing an Enrich Vulnerability Lookup

For an observable that is not yet enriched with GreyNoise Data, such as in the case when the GreyNoise Vulnerability enrichment connector is set to manual:

Click the Enrichment button and select GreyNoise from the enrichment options:

After the process completes, the vulnerability will now include the enriched data:


Feed Connector

The Feed Connector will run based on the interval defined and create indicators within the platform during each run.

The status of the connector can be viewed at Data / Ingestion / Connectors / GreyNoise Feed

An Observable, an Indicator, and GreyNoise metadata will be included during the creation process.

Updated 4 months ago