forked from splunk-soar-connectors/greynoise
-
Notifications
You must be signed in to change notification settings - Fork 0
/
readme.html
116 lines (95 loc) · 5.77 KB
/
readme.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
<!-- File: readme.html
Copyright (c) GreyNoise, 2019-2022.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under
the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
either express or implied. See the License for the specific language governing permissions
and limitations under the License.
-->
<html>
<body>
<h2>Playbook Backward Compatibility</h2>
<p>
<ul>
<li>Version 2.0.0 of this application is a complete rewrite and is not backward compatible with version 1.0.0. Hence, it is requested to the end-user to please update their existing playbooks by re-inserting | modifying | deleting the corresponding action blocks to ensure the correct functioning of the playbooks created on the earlier versions of the app. If the end-user does not want to upgrade their playbooks, they can remain on or downgrade to the old version(v1.0.0).</li>
</ul>
</p>
<h2>Description</h2>
<p>The GreyNoise Enrichment plugin for Phantom enriches observables to identify activity associated with
mass-internet scanning, creating more time to investigate other higher priority observables.
This enrichment provides context into IP behavior: intent, tags, first seen,
last seen, geo-data, ports, OS, and JA3. <br><br>The GreyNoise Enrichment plugin for Phantom requires an API key.
Set up an account to receive an API key and find GreyNoise documentation here:
<a target="_blank" rel="noopener noreferrer" href="https://docs.greynoise.io/">https://docs.greynoise.io/</a></br></br></p>
<h2>Actions</h2>
<h4>lookup ip</h4>
<p>Check to see if a given IP has been seen by GreyNoise engaging in internet scanning behavior.</p>
<h4>riot lookup ip</h4>
<p>Identifies IPs from known benign services and organizations that commonly cause false positives.</p>
<h4>community lookup ip</h4>
<p>An action requiring at least a free community API key to query IPs in the GreyNoise dataset and retrieve a subset of the IP reputation data returned by the lookup ip and lookup reputation actions. A free API key can be obtained at <a target="_blank" rel="noopener noreferrer" href="https://www.greynoise.io/viz/signup">https://www.greynoise.io/viz/signup</a></p>
<h4>lookup ips</h4>
<p>Check whether IP addresses in a set have been seen engaging in internet scanning behavior.
This action is similar to <i>lookup ip</i> except that it processes more than one IP at a time. IPs should be comma-separated.</p>
<h4>ip reputation</h4>
<p>Delivers full IP context: time ranges, IP metadata
(network owner, ASN, reverse DNS pointer, country), associated actors, activity tags,
and raw port scan and web request information.</p>
<h4>similar noise ips</h4>
<p>Uses the GreyNoise Similarity feature to identify other internet scanning IPs that have similar features in use.</p>
<h4>noise ip timeline</h4>
<p>Uses the GreyNoise IP Timeline feature to retrieve a daily timeline of scanning behavior associated with the IP.</p>
<h4>gnql query</h4>
<p>GreyNoise Query Language (GNQL) uses Lucene deep under the hood.
GNQL enables users to make complex and one-off queries against the GreyNoise dataset. <br>For more information, please visit:
<a target="_blank" rel="noopener noreferrer" href="https://docs.greynoise.io/reference/gnqlquery-1">https://docs.greynoise.io/reference/gnqlquery-1</a></p>
<h4>on poll</h4>
<p>Retrieves GNQL query results on a set interval. The default number of results returned is 25.
<br>
Notes:
<ul>
<li>The value provided in the configuration parameter "on_poll_size" will only be considered for scheduled or interval polling. For manual polling, the value provided in the "container_count" will be considered.</li>
<li>The on poll action will spawn a container for each result returned. Phantom performance may be degraded if an overly large query is used.
<li>Potentially useful queries may include ones that limit results to assets owned by your organization, such as:
<li>
<ul>
<li>
metadata.organization:your_organization classification:malicious
</li>
<li>
8.8.8.0/30 (replace with your address block) classification:malicious
</li>
</ul>
</li>
<li>To test your query or to learn more about GNQL queries, please visit <a target="_blank" rel="noopener noreferrer" href="https://docs.greynoise.io/reference/gnqlquery-1">https://docs.greynoise.io/reference/gnqlquery-1</a></li>
</ul>
<h4>test connectivity</h4>
<p>Test connectivity to GreyNoise. Requires a valid paid or free community API key.</p>
<h2>Legal</h2>
<p>For terms and legal information, please visit <a target="_blank" rel="noopener noreferrer" href="https://greynoise.io/terms">https://greynoise.io/terms</a></p>
<h2>Port Information</h2>
<p>
The app uses HTTP/ HTTPS protocol for communicating with the GreyNoise server. Below are the default ports used by the Splunk SOAR Connector.
<table>
<tr class=plain>
<th>SERVICE NAME</th>
<th>TRANSPORT PROTOCOL</th>
<th>PORT</th>
</tr>
<tr>
<td>http</td>
<td>tcp</td>
<td>80</td>
</tr>
<tr>
<td>https</td>
<td>tcp</td>
<td>443</td>
</tr>
</table>
</p>
</body>
</html>