From d33f75cae254125b06bdb6105e99ee14b4726616 Mon Sep 17 00:00:00 2001
From: content-bot <55035720+content-bot@users.noreply.github.com>
Date: Wed, 7 Jun 2023 20:50:00 +0300
Subject: [PATCH] [greynoise-266] - Add greynoise-similar and
greynoise-timeline commands (#27067) (#27291)
* add sim and timeline updates
* fix test file prints
* update readme fix tests
* updates to readme for pre-commit
* updates from pre-commit run
* more linting updates
* update secrets
* fix url in timeline
Co-authored-by: Brad Chiappetta <38439955+bradchiappetta@users.noreply.github.com>
---
Packs/GreyNoise/.secrets-ignore | 7 +
.../Integrations/GreyNoise/GreyNoise.py | 209 ++++++-
.../Integrations/GreyNoise/GreyNoise.yml | 79 ++-
.../GreyNoise/GreyNoise_description.md | 5 +-
.../Integrations/GreyNoise/GreyNoise_test.py | 67 ++-
.../Integrations/GreyNoise/README.md | 539 ++++++++++++------
.../GreyNoise/test_data/input_data.py | 133 ++++-
.../{quick_check.md => quick_check.txt} | 0
.../GreyNoise_Community.py | 2 +-
.../GreyNoise_Community_description.md | 5 +-
.../GreyNoise_Community/README.md | 12 +-
.../Calculate_Severity_-_GreyNoise_README.md | 16 +-
...ress_Network_Traffic_-_GreyNoise_README.md | 8 +
...ress_Network_Traffic_-_GreyNoise_README.md | 8 +
.../IP_Reputation-GreyNoise_README.md | 8 +
Packs/GreyNoise/README.md | 3 +
Packs/GreyNoise/ReleaseNotes/1_0_1.md | 2 +
Packs/GreyNoise/ReleaseNotes/1_0_2.md | 2 +
Packs/GreyNoise/ReleaseNotes/1_0_3.md | 2 +
Packs/GreyNoise/ReleaseNotes/1_0_4.md | 4 +
Packs/GreyNoise/ReleaseNotes/1_0_5.md | 4 +
Packs/GreyNoise/ReleaseNotes/1_1_0.md | 4 +
Packs/GreyNoise/ReleaseNotes/1_1_1.md | 4 +
Packs/GreyNoise/ReleaseNotes/1_1_2.md | 4 +
Packs/GreyNoise/ReleaseNotes/1_2_0.md | 4 +
Packs/GreyNoise/ReleaseNotes/1_2_1.md | 4 +
Packs/GreyNoise/ReleaseNotes/1_2_10.md | 2 +
Packs/GreyNoise/ReleaseNotes/1_2_2.md | 2 +
Packs/GreyNoise/ReleaseNotes/1_2_3.md | 2 +
Packs/GreyNoise/ReleaseNotes/1_2_4.md | 2 +
Packs/GreyNoise/ReleaseNotes/1_2_5.md | 2 +
Packs/GreyNoise/ReleaseNotes/1_2_6.md | 2 +
Packs/GreyNoise/ReleaseNotes/1_2_7.md | 2 +
Packs/GreyNoise/ReleaseNotes/1_2_9.md | 1 +
Packs/GreyNoise/ReleaseNotes/1_3_0.md | 12 +
Packs/GreyNoise/pack_metadata.json | 2 +-
36 files changed, 948 insertions(+), 216 deletions(-)
rename Packs/GreyNoise/Integrations/GreyNoise/test_data/{quick_check.md => quick_check.txt} (100%)
create mode 100644 Packs/GreyNoise/ReleaseNotes/1_3_0.md
diff --git a/Packs/GreyNoise/.secrets-ignore b/Packs/GreyNoise/.secrets-ignore
index 99ef47c3bcab..0bf564c623cc 100644
--- a/Packs/GreyNoise/.secrets-ignore
+++ b/Packs/GreyNoise/.secrets-ignore
@@ -23,3 +23,10 @@ https://greynoise.io
https://www.greynoise.io
66.249.68.82
103.21.244.0
+121.239.23.85
+1.145.159.157
+45.95.147.229
+61.30.129.190
+59.88.225.2
+1.1.2.2
+45.164.214.212
diff --git a/Packs/GreyNoise/Integrations/GreyNoise/GreyNoise.py b/Packs/GreyNoise/Integrations/GreyNoise/GreyNoise.py
index 50ab0f1839db..2270975b4843 100644
--- a/Packs/GreyNoise/Integrations/GreyNoise/GreyNoise.py
+++ b/Packs/GreyNoise/Integrations/GreyNoise/GreyNoise.py
@@ -9,7 +9,6 @@
import copy
from typing import Tuple, Dict, Any
from greynoise import GreyNoise, exceptions, util # type: ignore
-from greynoise.exceptions import RequestFailure, RateLimitError # type: ignore
# Disable insecure warnings
urllib3.disable_warnings()
@@ -17,7 +16,7 @@
""" CONSTANTS """
-TIMEOUT = 10
+TIMEOUT = 30
PRETTY_KEY = {
"ip": "IP",
"first_seen": "First Seen",
@@ -33,24 +32,30 @@
"city": "City",
"country": "Country",
"country_code": "Country Code",
+ "destination_countries": "Destination Countries",
+ "destination_country_codes": "Destination Country Codes",
"organization": "Organization",
"category": "Category",
+ "sensor_count": "Sensor Count",
+ "sensor_hits": "Sensor Hits",
+ "source_country": "Source Country",
+ "source_country_code": "Source Country Code",
"tor": "Tor",
- "rdns": "RDNS",
+ "rdns": "rDNS",
"os": "OS",
"region": "Region",
"vpn": "VPN",
"vpn_service": "VPN Service",
- "raw_data": "raw_data",
- "scan": "scan",
- "port": "port",
- "protocol": "protocol",
- "web": "web",
- "paths": "paths",
- "useragents": "useragents",
+ "raw_data": "Raw Data",
+ "scan": "Scan",
+ "port": "Port",
+ "protocol": "Protocol",
+ "web": "Web",
+ "paths": "Paths",
+ "useragents": "User-Agents",
"ja3": "ja3",
"fingerprint": "fingerprint",
- "hassh": "hassh",
+ "hassh": "HASSH",
"bot": "BOT",
}
IP_CONTEXT_HEADERS = [
@@ -66,6 +71,27 @@
"First Seen",
"Last Seen",
]
+SIMILAR_HEADERS = [
+ "IP",
+ "Score",
+ "Classification",
+ "Actor",
+ "Organization",
+ "Source Country",
+ "Last Seen",
+ "Similarity Features"
+]
+TIMELINE_HEADERS = [
+ "Date",
+ "Classification",
+ "Tags",
+ "rDNS",
+ "Organization",
+ "ASN",
+ "Ports",
+ "Web Paths",
+ "User Agents",
+]
RIOT_HEADERS = ["IP", "Category", "Name", "Trust Level", "Description", "Last Updated"]
API_SERVER = util.DEFAULT_CONFIG.get("api_server")
IP_QUICK_CHECK_HEADERS = ["IP", "Noise", "RIOT", "Code", "Code Description"]
@@ -74,7 +100,8 @@
"spoofable": "Spoofable",
"organizations": "Organizations",
"actors": "Actors",
- "countries": "Countries",
+ "source_countries": "Source Countries",
+ "destination_countries": "Destination Countries",
"tags": "Tags",
"operating_systems": "Operating Systems",
"categories": "Categories",
@@ -102,14 +129,12 @@
"COMMAND_FAIL": "Failed to execute {} command.\n Error: {}",
"SERVER_ERROR": "The server encountered an internal error for GreyNoise and was unable to complete your request.",
"CONNECTION_TIMEOUT": "Connection timed out. Check your network connectivity.",
- "PROXY": "Proxy Error - cannot connect to proxy. Either try clearing the "
- "'Use system proxy' check-box or check the host, "
- "authentication details and connection details for the proxy.",
+ "PROXY": "Proxy Error - cannot connect to proxy. Either try clearing the 'Use system proxy' check-box or check "
+ "the host, authentication details and connection details for the proxy.",
"INVALID_RESPONSE": "Invalid response from GreyNoise. Response: {}",
"QUERY_STATS_RESPONSE": "GreyNoise request failed. Reason: {}",
}
-
""" CLIENT CLASS """
@@ -131,10 +156,10 @@ def authenticate(self):
f"Invalid API Offering ({response['offering']})or Expiration Date ({expiration_date})"
)
- except RateLimitError:
+ except exceptions.RateLimitError:
raise DemistoException(EXCEPTION_MESSAGES["API_RATE_LIMIT"])
- except RequestFailure as err:
+ except exceptions.RequestFailure as err:
status_code = err.args[0]
body = str(err.args[1])
@@ -245,7 +270,7 @@ def get_ip_context_data(responses: list) -> list:
def get_ip_reputation_score(classification: str) -> Tuple[int, str]:
- """Get DBot score and human readable of score.
+ """Get DBot score and human-readable of score.
:type classification: ``str``
:param classification: classification of ip provided from GreyNoise.
@@ -746,6 +771,8 @@ def stats_command(client: Client, args: dict) -> Any:
hr_list: list = []
if value is None:
continue
+ if key == "countries":
+ continue
for rec in value:
hr_rec: dict = {}
header = []
@@ -767,6 +794,140 @@ def stats_command(client: Client, args: dict) -> Any:
)
+@exception_handler
+@logger
+def similarity_command(client: Client, args: dict) -> Any:
+ """Get similarity information for a specified IP.
+
+ :type client: ``Client``
+ :param client: Client object for interaction with GreyNoise.
+
+ :type args: ``dict``
+ :param args: All command arguments, usually passed from ``demisto.args()``.
+
+ :return: A ``CommandResults`` object that is then passed to ``return_results``,
+ that contains the IP information.
+ :rtype: ``CommandResults``
+ """
+ ip = args.get("ip", "")
+ min_score = args.get("minimum_score", 90)
+ limit = args.get("maximum_results", 50)
+ if isinstance(min_score, str):
+ min_score = int(min_score)
+ if isinstance(limit, str):
+ limit = int(limit)
+ response = client.similar(ip, min_score=min_score, limit=limit)
+ original_response = copy.deepcopy(response)
+ response = remove_empty_elements(response)
+ if not isinstance(response, dict):
+ raise DemistoException(EXCEPTION_MESSAGES["INVALID_RESPONSE"].format(response))
+
+ if response.get("similar_ips"):
+ tmp_response = []
+ for sim_ip in response.get("similar_ips", []):
+ modified_sim_ip = copy.deepcopy(sim_ip)
+ modified_sim_ip["IP"] = sim_ip.get("ip")
+ modified_sim_ip["Score"] = sim_ip.get("score", "0") * 100
+ modified_sim_ip["Classification"] = sim_ip.get("classification")
+ modified_sim_ip["Actor"] = sim_ip.get("actor")
+ modified_sim_ip["Organization"] = sim_ip.get("organization")
+ modified_sim_ip["Source Country"] = sim_ip.get("source_country")
+ modified_sim_ip["Last Seen"] = sim_ip.get("last_seen")
+ modified_sim_ip["Similarity Features"] = sim_ip.get("features")
+ tmp_response.append(modified_sim_ip)
+
+ human_readable = f"### IP: {ip} - Similar Internet Scanners found in GreyNoise\n"
+ human_readable += f'#### Total Similar IPs with Score above {min_score}%: {response.get("total")}\n'
+ if response.get('total', 0) > limit:
+ human_readable += f'##### Displaying {limit} results below. To see all results, visit the GreyNoise ' \
+ f'Visualizer.\n '
+
+ human_readable += tableToMarkdown(
+ name="GreyNoise Similar IPs", t=tmp_response, headers=SIMILAR_HEADERS, removeNull=True
+ )
+
+ similarity_link = f"https://viz.greynoise.io/ip-similarity/{ip}"
+ human_readable += f"\n*To view the detailed similarity result please click [here]({similarity_link}).*"
+
+ elif response["message"] == "ip not found":
+ human_readable = "### GreyNoise Similarity Lookup returned No Results."
+ viz_link = f"https://viz.greynoise.io/ip/{ip}"
+ human_readable += f"\n*To view this IP on the GreyNoise Visualizer please click [here]({viz_link}).*"
+
+ return CommandResults(
+ outputs_prefix="GreyNoise.Similar",
+ outputs_key_field="ip",
+ readable_output=human_readable, outputs=remove_empty_elements(response), raw_response=original_response
+ )
+
+
+@exception_handler
+@logger
+def timeline_command(client: Client, args: dict) -> Any:
+ """Get timeline information for a specified IP.
+
+ :type client: ``Client``
+ :param client: Client object for interaction with GreyNoise.
+
+ :type args: ``dict``
+ :param args: All command arguments, usually passed from ``demisto.args()``.
+
+ :return: A ``CommandResults`` object that is then passed to ``return_results``,
+ that contains the IP information.
+ :rtype: ``CommandResults``
+ """
+ ip = args.get("ip", "")
+ days = args.get("days", 30)
+ limit = args.get("maximum_results", 50)
+ if isinstance(days, str):
+ days = int(days)
+ if isinstance(limit, str):
+ limit = int(limit)
+ response = client.timelinedaily(ip, days=days, limit=limit)
+ original_response = copy.deepcopy(response)
+ response = remove_empty_elements(response)
+ if not isinstance(response, dict):
+ raise DemistoException(EXCEPTION_MESSAGES["INVALID_RESPONSE"].format(response))
+
+ if response.get("activity"):
+ tmp_response = []
+ for activity in response.get("activity", []):
+ modified_activity = copy.deepcopy(activity)
+ modified_activity["Date"] = activity.get("timestamp").split("T")[0]
+ modified_activity["Classification"] = activity.get("classification")
+ tag_names = [tag["name"] for tag in activity.get("tags", [])]
+ modified_activity["Tags"] = tag_names
+ modified_activity["rDNS"] = activity.get("rdns")
+ modified_activity["Organization"] = activity.get("organization")
+ modified_activity["ASN"] = activity.get("asn")
+ ports = [str(item["port"]) + "/" + str(item["transport_protocol"]) for item in activity.get("protocols", [])]
+ modified_activity["Ports"] = ports
+ modified_activity["Web Paths"] = activity.get("http_paths")
+ modified_activity["User Agents"] = activity.get("http_user_agents")
+ tmp_response.append(modified_activity)
+
+ human_readable = f"### IP: {ip} - GreyNoise IP Timeline\n"
+
+ human_readable += tableToMarkdown(
+ name="Internet Scanner Timeline Details - Daily Activity Summary", t=tmp_response, headers=TIMELINE_HEADERS,
+ removeNull=True
+ )
+
+ timeline_link = f"https://viz.greynoise.io/ip/{ip}?view=timeline"
+ human_readable += f"\n*To view the detailed timeline result please click [here]({timeline_link}).*"
+
+ else:
+ human_readable = "### GreyNoise IP Timeline Returned No Results."
+ viz_link = f"https://viz.greynoise.io/ip/{ip}"
+ human_readable += f"\n*To view this IP on the GreyNoise Visualizer please click [here]({viz_link}).*"
+
+ return CommandResults(
+ outputs_prefix="GreyNoise.Timeline",
+ outputs_key_field="ip",
+ readable_output=human_readable, outputs=remove_empty_elements(response), raw_response=original_response
+ )
+
+
@exception_handler
@logger
def riot_command(client: Client, args: Dict, reliability: str) -> CommandResults:
@@ -963,7 +1124,7 @@ def main() -> None:
else:
packs = []
- pack_version = "1.2.0"
+ pack_version = "1.3.0"
if isinstance(packs, list):
for pack in packs:
if pack["name"] == "GreyNoise":
@@ -1010,6 +1171,14 @@ def main() -> None:
result = stats_command(client, demisto.args())
return_results(result)
+ elif demisto.command() == "greynoise-similarity":
+ result = similarity_command(client, demisto.args())
+ return_results(result)
+
+ elif demisto.command() == "greynoise-timeline":
+ result = timeline_command(client, demisto.args())
+ return_results(result)
+
elif demisto.command() == "greynoise-query":
result = query_command(client, demisto.args())
return_results(result)
diff --git a/Packs/GreyNoise/Integrations/GreyNoise/GreyNoise.yml b/Packs/GreyNoise/Integrations/GreyNoise/GreyNoise.yml
index f7f501f30e41..8748e1d5d8ac 100644
--- a/Packs/GreyNoise/Integrations/GreyNoise/GreyNoise.yml
+++ b/Packs/GreyNoise/Integrations/GreyNoise/GreyNoise.yml
@@ -432,6 +432,18 @@ script:
- contextPath: GreyNoise.Stats.stats.countries.count
description: Country count.
type: number
+ - contextPath: GreyNoise.Stats.stats.source_countries.country
+ description: Country name.
+ type: string
+ - contextPath: GreyNoise.Stats.stats.source_countries.count
+ description: Country count.
+ type: number
+ - contextPath: GreyNoise.Stats.stats.destination_countries.country
+ description: Country name.
+ type: string
+ - contextPath: GreyNoise.Stats.stats.destination_countries.count
+ description: Country count.
+ type: number
- contextPath: GreyNoise.Stats.stats.tags.tag
description: Tag name.
type: string
@@ -606,7 +618,72 @@ script:
- contextPath: GreyNoise.IP.bot
description: Whether the IP is associated with known bot activity or not. Common examples include credential stuffing, content scraping, or brute force attacks.
type: Boolean
- dockerimage: demisto/greynoise:1.0.0.30638
+ - name: greynoise-similarity
+ deprecated: false
+ description: >-
+ Search for similar internet scanner IPs found in the GreyNoise Noise
+ (internet scanner) dataset.
+ execution: false
+ arguments:
+ - name: ip
+ default: true
+ description: IP address to find similar IPs to
+ isArray: false
+ required: true
+ secret: false
+ - name: minimum_score
+ default: false
+ description: >-
+ The minimum similarity score to match to. Value between 80 and 100.
+ Default value is 90.
+ isArray: false
+ required: false
+ secret: false
+ defaultValue: '90'
+ - name: maximum_results
+ default: false
+ description: The maximum number of results to return. Default value is 50.
+ isArray: false
+ required: false
+ secret: false
+ defaultValue: '50'
+ outputs:
+ - contextPath: GreyNoise.Similar.ip_address
+ description: Similar IP address.
+ type: string
+ - name: greynoise-timeline
+ deprecated: false
+ description: >-
+ Retrieve daily scanner timeline information for an Internet Scanner.
+ execution: false
+ arguments:
+ - name: ip
+ default: true
+ description: IP address to find similar IPs to
+ isArray: false
+ required: true
+ secret: false
+ - name: days
+ default: false
+ description: >-
+ The number of days to retrieve daily summaries for. Value between 1 and 90.
+ Default value is 30.
+ isArray: false
+ required: false
+ secret: false
+ defaultValue: '30'
+ - name: maximum_results
+ default: false
+ description: The maximum number of results to return. Default value is 50.
+ isArray: false
+ required: false
+ secret: false
+ defaultValue: '50'
+ outputs:
+ - contextPath: GreyNoise.Timeline.ip_address
+ description: Timeline IP address.
+ type: string
+ dockerimage: demisto/greynoise:1.0.0.61972
feed: false
isfetch: false
longRunning: false
diff --git a/Packs/GreyNoise/Integrations/GreyNoise/GreyNoise_description.md b/Packs/GreyNoise/Integrations/GreyNoise/GreyNoise_description.md
index 1fa6fc11d78d..4c8ec7ac5264 100644
--- a/Packs/GreyNoise/Integrations/GreyNoise/GreyNoise_description.md
+++ b/Packs/GreyNoise/Integrations/GreyNoise/GreyNoise_description.md
@@ -3,5 +3,6 @@
To use GreyNoise on Cortex XSOAR, retrieve your user account's API key and enter it in the integration's configuration.
#### Configure an API account on GreyNoise
- - [Login](https://viz.greynoise.io/login) / [Register](https://viz.greynoise.io/signup) at GreyNoise
- - Once signed in, go to [Account Settings](https://viz.greynoise.io/account/) to get the API Key.
+
+- [Login](https://viz.greynoise.io/login) / [Register](https://viz.greynoise.io/signup) at GreyNoise
+- Once signed in, go to [Account Settings](https://viz.greynoise.io/account/) to get the API Key.
diff --git a/Packs/GreyNoise/Integrations/GreyNoise/GreyNoise_test.py b/Packs/GreyNoise/Integrations/GreyNoise/GreyNoise_test.py
index 15250a5b0665..102992c9248e 100644
--- a/Packs/GreyNoise/Integrations/GreyNoise/GreyNoise_test.py
+++ b/Packs/GreyNoise/Integrations/GreyNoise/GreyNoise_test.py
@@ -13,6 +13,8 @@
stats_command_data,
riot_command_response_data,
context_command_response_data,
+ similar_command_response_data,
+ timeline_command_response_data,
)
@@ -72,7 +74,7 @@ def test_test_module(api_key, api_response, status_code, expected_output, mocker
@pytest.mark.parametrize("args, test_scenario, api_response, status_code, expected_output", ip_reputation_command_data)
def test_ip_reputation_command(args, test_scenario, api_response, status_code, expected_output, mocker):
"""
- Tests various combinations of vald and invalid responses for IPReputation command.
+ Tests various combinations of valid and invalid responses for IPReputation command.
"""
client = GreyNoise.Client("true_api_key", "dummy_server", 10, "proxy", False, "dummy_integration")
reliability = "B - Usually reliable"
@@ -96,19 +98,19 @@ def test_ip_quick_check_command(args, test_scenario, api_response, status_code,
client = GreyNoise.Client("true_api_key", "dummy_server", 10, "proxy", False, "dummy_integration")
dummy_response = DummyResponse({"Content-Type": "application/json"}, json.dumps(api_response), status_code)
if test_scenario == "positive":
- mocker.patch("requests.Session.get", return_value=dummy_response)
+ mocker.patch("requests.Session.post", return_value=dummy_response)
response = GreyNoise.ip_quick_check_command(client, args)
assert response.outputs == expected_output
elif test_scenario == "negative" and status_code == 200:
- mocker.patch("requests.Session.get", return_value=dummy_response)
+ mocker.patch("requests.Session.post", return_value=dummy_response)
response = GreyNoise.ip_quick_check_command(client, args)
- with open("test_data/quick_check.md") as f:
+ with open("test_data/quick_check.txt") as f:
expected_hr = f.read()
assert response.readable_output == expected_hr
elif test_scenario == "negative":
- mocker.patch("requests.Session.get", return_value=dummy_response)
+ mocker.patch("requests.Session.post", return_value=dummy_response)
with pytest.raises(Exception) as err:
_ = GreyNoise.ip_quick_check_command(client, args)
assert str(err.value) == expected_output
@@ -223,5 +225,58 @@ def test_context_command(mocker, args, test_scenario, api_response, status_code,
mocker.patch("requests.Session.get", return_value=dummy_response)
with pytest.raises(Exception) as err:
_ = GreyNoise.ip_reputation_command(client, args, reliability)
- print("this is err: " + str(err))
+ assert str(err.value) == expected_output
+
+
+@pytest.mark.parametrize(
+ "args, test_scenario, api_response, status_code, expected_output", similar_command_response_data
+)
+def test_similar_command(mocker, args, test_scenario, api_response, status_code, expected_output):
+ """
+ Test various inputs for context command
+ """
+ client = GreyNoise.Client(
+ api_key="true_api_key",
+ api_server="dummy_server",
+ timeout=10,
+ proxy="proxy",
+ use_cache=False,
+ integration_name="dummy_integration",
+ )
+ dummy_response = DummyResponse({"Content-Type": "application/json"}, json.dumps(expected_output), status_code)
+ mocker.patch("requests.Session.get", return_value=dummy_response)
+ if test_scenario == "positive":
+ response = GreyNoise.similarity_command(client, args)
+ assert response.outputs == expected_output
+ else:
+ mocker.patch("requests.Session.get", return_value=dummy_response)
+ with pytest.raises(Exception) as err:
+ _ = GreyNoise.similarity_command(client, args)
+ assert str(err.value) == expected_output
+
+
+@pytest.mark.parametrize(
+ "args, test_scenario, api_response, status_code, expected_output", timeline_command_response_data
+)
+def test_timeline_command(mocker, args, test_scenario, api_response, status_code, expected_output):
+ """
+ Test various inputs for context command
+ """
+ client = GreyNoise.Client(
+ api_key="true_api_key",
+ api_server="dummy_server",
+ timeout=10,
+ proxy="proxy",
+ use_cache=False,
+ integration_name="dummy_integration",
+ )
+ dummy_response = DummyResponse({"Content-Type": "application/json"}, json.dumps(expected_output), status_code)
+ mocker.patch("requests.Session.get", return_value=dummy_response)
+ if test_scenario == "positive":
+ response = GreyNoise.timeline_command(client, args)
+ assert response.outputs == expected_output
+ else:
+ mocker.patch("requests.Session.get", return_value=dummy_response)
+ with pytest.raises(Exception) as err:
+ _ = GreyNoise.timeline_command(client, args)
assert str(err.value) == expected_output
diff --git a/Packs/GreyNoise/Integrations/GreyNoise/README.md b/Packs/GreyNoise/Integrations/GreyNoise/README.md
index 6d4dd72b6f85..ffcc7bf576b2 100644
--- a/Packs/GreyNoise/Integrations/GreyNoise/README.md
+++ b/Packs/GreyNoise/Integrations/GreyNoise/README.md
@@ -1,6 +1,6 @@
GreyNoise is a cybersecurity platform that collects and analyzes Internet-wide scan and attack traffic. With this integration, users can contextualize existing alerts, filter false-positives, identify compromised devices, and track emerging threats.
-This integration was integrated and tested with version 0.7.0 of GreyNoise.
-Supported Cortex XSOAR versions: 5.0.0 and later.
+This integration was integrated and tested with version 2.0.1 of the GreyNoise SDK.
+Supported Cortex XSOAR versions: 5.5.0 and later.
## Configure GreyNoise on Cortex XSOAR
@@ -15,10 +15,14 @@ Supported Cortex XSOAR versions: 5.0.0 and later.
| proxy | Use system proxy settings | False |
4. Click **Test** to validate the URLs, token, and connection.
+
## Commands
+
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.
+
### ip
+
***
Runs reputation on IPs.
@@ -26,6 +30,7 @@ Runs reputation on IPs.
#### Base Command
`ip`
+
#### Input
| **Argument Name** | **Description** | **Required** |
@@ -35,72 +40,83 @@ Runs reputation on IPs.
#### Context Output
-| **Path** | **Type** | **Description** |
-| --- | --- | --- |
-| DBotScore.Indicator | String | The indicator that was tested. |
-| DBotScore.Score | Number | The actual score. |
-| DBotScore.Type | String | The indicator type. |
-| DBotScore.Vendor | String | The vendor used to calculate the score. |
-| IP.Address | string | IP address. |
-| IP.ASN | string | The autonomous system name for the IP address. |
-| IP.Hostname | string | The hostname that is mapped to IP address. |
-| IP.Geo.Country | string | The country in which the IP address is located. |
-| IP.Geo.Description | string | Additional information about the location such as city and region. |
-| IP.Malicious.Vendor | string | The vendor reporting the IP address as malicious. |
-| IP.Malicious.Description | string | A description explaining why the IP address was reported as malicious. |
-| GreyNoise.IP.address | string | The IP address of the scanning device IP. |
-| GreyNoise.IP.first_seen | date | The date the device was first observed by GreyNoise. Format is ISO8601. |
-| GreyNoise.IP.last_seen | date | The date the device was last observed by GreyNoise. Format is ISO8601. |
-| GreyNoise.IP.seen | boolean | IP is in record with GreyNoise. |
-| GreyNoise.IP.tags | array | A list of the tags the device has been assigned over the past 90 days. |
-| GreyNoise.IP.actor | string | The overt actor the device has been associated with. |
-| GreyNoise.IP.spoofable | boolean | Boolean indicates if IP is spoofable. |
-| GreyNoise.IP.classification | string | Whether the device has been categorized as unknown, benign, or malicious. |
-| GreyNoise.IP.cve | array | CVEs associated with IP. |
-| GreyNoise.IP.vpn | boolean | Whether the device is VPN endpoint or not. |
-| GreyNoise.IP.vpn_service | string | The name of the VPN service provider of the device. |
-| GreyNoise.IP.metadata.asn | string | The autonomous system identification number. |
-| GreyNoise.IP.metadata.city | string | The city the device is geographically located in. |
-| GreyNoise.IP.metadata.region | string | The full name of the region the device is geographically located in. |
-| GreyNoise.IP.metadata.country | string | The full name of the country. |
-| GreyNoise.IP.metadata.country_code | string | The two-character country code of the country. |
-| GreyNoise.IP.metadata.organization | string | The organization that owns the network that the IP address belongs to. |
-| GreyNoise.IP.metadata.category | string | Whether the device belongs to a business, isp, hosting, education, or mobile network. |
-| GreyNoise.IP.metadata.tor | boolean | Whether or not the device is a known Tor exit node. |
-| GreyNoise.IP.metadata.rdns | string | Reverse DNS lookup of the IP address. |
-| GreyNoise.IP.metadata.os | string | The name of the operating system of the device. |
-| GreyNoise.IP.raw_data.scan.port | number | The port number\(s\) the devices has been observed scanning. |
-| GreyNoise.IP.raw_data.scan.protocol | string | The protocol of the port the device has been observed scanning. |
-| GreyNoise.IP.raw_data.web.paths | array | Any HTTP paths the device has been observed crawling the Internet for. |
-| GreyNoise.IP.raw_data.web.useragents | array | Any HTTP user-agents the device has been observed using while crawling the Internet. |
-| GreyNoise.IP.raw_data.ja3.fingerprint | string | The JA3 TLS/SSL fingerprint. |
-| GreyNoise.IP.raw_data.ja3.port | number | The corresponding TCP port for the given JA3 fingerprint. |
-| GreyNoise.IP.raw_data.hassh.fingerprint | string | HASSH hash fingerprint string. |
-| GreyNoise.IP.raw_data.hassh.port | number | TCP port connection where the HASSH hash was identified. |
+| **Path** | **Type** | **Description** |
+|-------------------------------------------------|----------|---------------------------------------------------------------------------------------|
+| DBotScore.Indicator | String | The indicator that was tested. |
+| DBotScore.Score | Number | The actual score. |
+| DBotScore.Type | String | The indicator type. |
+| DBotScore.Vendor | String | The vendor used to calculate the score. |
+| IP.Address | string | IP address. |
+| IP.ASN | string | The autonomous system name for the IP address. |
+| IP.Hostname | string | The hostname that is mapped to IP address. |
+| IP.Geo.Country | string | The country in which the IP address is located. |
+| IP.Geo.Description | string | Additional information about the location such as city and region. |
+| IP.Malicious.Vendor | string | The vendor reporting the IP address as malicious. |
+| IP.Malicious.Description | string | A description explaining why the IP address was reported as malicious. |
+| GreyNoise.IP.address | string | The IP address of the scanning device IP. |
+| GreyNoise.IP.first_seen | date | The date the device was first observed by GreyNoise. Format is ISO8601. |
+| GreyNoise.IP.last_seen | date | The date the device was last observed by GreyNoise. Format is ISO8601. |
+| GreyNoise.IP.seen | boolean | IP is in record with GreyNoise. |
+| GreyNoise.IP.tags | array | A list of the tags the device has been assigned over the past 90 days. |
+| GreyNoise.IP.actor | string | The overt actor the device has been associated with. |
+| GreyNoise.IP.spoofable | boolean | Boolean indicates if IP is spoofable. |
+| GreyNoise.IP.classification | string | Whether the device has been categorized as unknown, benign, or malicious. |
+| GreyNoise.IP.cve | array | CVEs associated with IP. |
+| GreyNoise.IP.vpn | boolean | Whether the device is VPN endpoint or not. |
+| GreyNoise.IP.vpn_service | string | The name of the VPN service provider of the device. |
+| GreyNoise.IP.metadata.asn | string | The autonomous system identification number. |
+| GreyNoise.IP.metadata.city | string | The city the device is geographically located in. |
+| GreyNoise.IP.metadata.region | string | The full name of the region the device is geographically located in. |
+| GreyNoise.IP.metadata.country | string | The full name of the country. |
+| GreyNoise.IP.metadata.country_code | string | The two-character country code of the country. |
+| GreyNoise.IP.metadata.source_country | string | The full name of the country. |
+| GreyNoise.IP.metadata.source_country_code | string | The two-character country code of the country. |
+| GreyNoise.IP.metadata.destination_countries | string | The list of countries with observed scanning, by country name. |
+| GreyNoise.IP.metadata.destination_country_codes | string | The list of countries with observed scanning, by two-character country code. |
+| GreyNoise.IP.metadata.organization | string | The organization that owns the network that the IP address belongs to. |
+| GreyNoise.IP.metadata.category | string | Whether the device belongs to a business, isp, hosting, education, or mobile network. |
+| GreyNoise.IP.metadata.tor | boolean | Whether or not the device is a known Tor exit node. |
+| GreyNoise.IP.metadata.rdns | string | Reverse DNS lookup of the IP address. |
+| GreyNoise.IP.metadata.os | string | The name of the operating system of the device. |
+| GreyNoise.IP.metadata.sensor_hits | string | The number of GreyNoise sensors that observed scanning. |
+| GreyNoise.IP.metadata.sensor_count | string | The number of scanning events observed. |
+| GreyNoise.IP.raw_data.scan.port | number | The port number\(s\) the devices has been observed scanning. |
+| GreyNoise.IP.raw_data.scan.protocol | string | The protocol of the port the device has been observed scanning. |
+| GreyNoise.IP.raw_data.web.paths | array | Any HTTP paths the device has been observed crawling the Internet for. |
+| GreyNoise.IP.raw_data.web.useragents | array | Any HTTP user-agents the device has been observed using while crawling the Internet. |
+| GreyNoise.IP.raw_data.ja3.fingerprint | string | The JA3 TLS/SSL fingerprint. |
+| GreyNoise.IP.raw_data.ja3.port | number | The corresponding TCP port for the given JA3 fingerprint. |
+| GreyNoise.IP.raw_data.hassh.fingerprint | string | HASSH hash fingerprint string. |
+| GreyNoise.IP.raw_data.hassh.port | number | TCP port connection where the HASSH hash was identified. |
#### Command Example
+
``` !ip "66.249.68.82" ```
#### Human Readable Output
-###IP: 66.249.68.82 found with Noise Reputation: Good
-###GreyNoise Context IP Lookup
+### IP: 66.249.68.82 found with Noise Reputation: Good
+
+### GreyNoise Context IP Lookup
|IP|Classification|Actor|Tags|Spoofable|VPN|BOT|Tor|First Seen|Last Seen|
|---|---|---|---|---|---|---|---|---|---|
-| [66.249.68.82](https://www.greynoise.io/viz/ip/66.249.68.82) | benign | GoogleBot | TLS/SSL Crawler, Web Crawler | false | false | false | false | 2021-05-30 | 2021-09-16 |
+| 66.249.68.82| benign | GoogleBot | TLS/SSL Crawler, Web Crawler | false | false | false | false | 2021-05-30 | 2021-09-16 |
+
+### IP: 66.249.68.82 found with RIOT Reputation: Good
-###IP: 66.249.68.82 found with RIOT Reputation: Good
-###Belongs to Common Business Service: Google
-###GreyNoise RIOT IP Lookup
+### Belongs to Common Business Service: Google
+
+### GreyNoise RIOT IP Lookup
|IP|Category|Name|Trust Level|Description|Last Updated|
|---|---|---|---|---|---|
-| [66.249.68.82](https://www.greynoise.io/viz/riot/66.249.68.82) | software | Google | 1 - Reasonably Ignore | Google LLC is an American multinational technology company that specializes in Internet-related services and products, which include online advertising technologies, a search engine, cloud computing, software, and hardware. | 2021-09-16T17:53:00Z|
+| 66.249.68.82 | software | Google | 1 - Reasonably Ignore | Google LLC is an American multinational technology company that specializes in Internet-related services and products, which include online advertising technologies, a search engine, cloud computing, software, and hardware. | 2021-09-16T17:53:00Z|
### greynoise-ip-quick-check
+
***
Check whether a given IP address is "Internet background noise", or has been observed scanning or attacking devices across the Internet. Note: It checks against the last 60 days of Internet scanner data.
@@ -108,6 +124,7 @@ Check whether a given IP address is "Internet background noise", or has been obs
#### Base Command
`greynoise-ip-quick-check`
+
#### Input
| **Argument Name** | **Description** | **Required** |
@@ -127,16 +144,20 @@ Check whether a given IP address is "Internet background noise", or has been obs
#### Command Example
+
``` !greynoise-ip-quick-check ip="45.83.65.120,45.83.66.18" ```
#### Human Readable Output
+
### IP Quick Check Details
+
|IP|Noise|Code|Code Description|
|---|---|---|---|
-| [45.83.66.18](https://viz.greynoise.io/ip/45.83.66.18) | true | 0x01 | IP has been observed by the GreyNoise sensor network |
-| [45.83.65.120](https://viz.greynoise.io/ip/45.83.65.120) | true | 0x01 | IP has been observed by the GreyNoise sensor network |
+| 45.83.66.18 | true | 0x01 | IP has been observed by the GreyNoise sensor network |
+| 45.83.65.120| true | 0x01 | IP has been observed by the GreyNoise sensor network |
### greynoise-query
+
***
Get the information of IP based on the providence filters.
@@ -144,79 +165,93 @@ Get the information of IP based on the providence filters.
#### Base Command
`greynoise-query`
+
#### Input
-| **Argument Name** | **Description** | **Required** |
-| --- | --- | --- |
-| classification | Classification of the device like unknown, benign, malicious. Possible values are: unknown, benign, malicious. | Optional |
-| spoofable | Whether the IP is spoofable or not. Possible values are: true, false. | Optional |
-| actor | The benign actor the device has been associated with. | Optional |
-| size | Maximum amount of results to grab. Default is 10. | Optional |
-| advanced_query | GNQL query to filter records.
Note: It merges other arguments and takes higher precedence over the same argument if supplied.
Example:
malicious,
spoofable:false SSH Scanner,
spoofable:false classification:benign tags:POP3 Scanner cve:CVE-2010-0103. | Optional |
-| next_token | Scroll token to paginate through results. | Optional |
-| last_seen | The date the device was most recently observed by GreyNoise. Example: 1d, 2d, 12h, or 1m. | Optional |
-| organization | The organization that owns the network that the IP address belongs to. | Optional |
+| **Argument Name** | **Description** | **Required** |
+| --- |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| --- |
+| classification | Classification of the device like unknown, benign, malicious. Possible values are: unknown, benign, malicious. | Optional |
+| spoofable | Whether the IP is spoofable or not. Possible values are: true, false. | Optional |
+| actor | The benign actor the device has been associated with. | Optional |
+| size | Maximum amount of results to grab. Default is 10. | Optional |
+| advanced_query | GNQL query to filter records. Note: It merges other arguments and takes higher precedence over the same argument if supplied. Example: malicious, spoofable:false SSH Scanner, spoofable:false classification:benign tags:POP3 Scanner cve:CVE-2010-0103. | Optional |
+| next_token | Scroll token to paginate through results. | Optional |
+| last_seen | The date the device was most recently observed by GreyNoise. Example: 1d, 2d, 12h, or 1m. | Optional |
+| organization | The organization that owns the network that the IP address belongs to. | Optional |
#### Advance Query
+
GNQL (GreyNoise Query Language) is a domain-specific query language that uses Lucene deep under the hood.
-For more information on the syntax to write GNQL of argument `advanced_query`, click [here](https://developer.greynoise.io/reference#gnql-1).
+For more information on the syntax to write GNQL of argument `advanced_query`, visit .
#### Context Output
-| **Path** | **Type** | **Description** |
-| --- | --- | --- |
-| GreyNoise.IP.address | string | The IP address of the scanning device IP. |
-| GreyNoise.IP.first_seen | date | The date the device was first observed by GreyNoise. Format is ISO8601. |
-| GreyNoise.IP.last_seen | date | The date the device was last observed by GreyNoise. Format is ISO8601. |
-| GreyNoise.IP.seen | boolean | IP is in record with GreyNoise. |
-| GreyNoise.IP.tags | array | A list of the tags the device has been assigned over the past 90 days. |
-| GreyNoise.IP.actor | string | The overt actor the device has been associated with. |
-| GreyNoise.IP.spoofable | boolean | Boolean indicates if IP is spoofable. |
-| GreyNoise.IP.classification | string | Whether the device has been categorized as unknown, benign, or malicious. |
-| GreyNoise.IP.cve | array | CVEs associated with IP. |
-| GreyNoise.IP.vpn | boolean | Whether the device is VPN endpoint or not. |
-| GreyNoise.IP.vpn_service | string | The name of the VPN service provider of the device. |
-| GreyNoise.IP.metadata.asn | string | The autonomous system identification number. |
-| GreyNoise.IP.metadata.city | string | The city the device is geographically located in. |
-| GreyNoise.IP.metadata.region | string | The full name of the region the device is geographically located in. |
-| GreyNoise.IP.metadata.country | string | The full name of the country. |
-| GreyNoise.IP.metadata.country_code | string | The two-character country code of the country. |
-| GreyNoise.IP.metadata.organization | string | The organization that owns the network that the IP address belongs to. |
-| GreyNoise.IP.metadata.category | string | Whether the device belongs to a business, isp, hosting, education, or mobile network. |
-| GreyNoise.IP.metadata.tor | boolean | Whether or not the device is a known Tor exit node. |
-| GreyNoise.IP.metadata.rdns | string | Reverse DNS lookup of the IP address. |
-| GreyNoise.IP.metadata.os | string | The name of the operating system of the device. |
-| GreyNoise.IP.raw_data.scan.port | number | The port number\(s\) the devices has been observed scanning. |
-| GreyNoise.IP.raw_data.scan.protocol | string | The protocol of the port the device has been observed scanning. |
-| GreyNoise.IP.raw_data.web.paths | array | Any HTTP paths the device has been observed crawling the Internet for. |
-| GreyNoise.IP.raw_data.web.useragents | array | Any HTTP user-agents the device has been observed using while crawling the Internet. |
-| GreyNoise.IP.raw_data.ja3.fingerprint | string | The JA3 TLS/SSL fingerprint. |
-| GreyNoise.IP.raw_data.ja3.port | number | The corresponding TCP port for the given JA3 fingerprint. |
-| GreyNoise.IP.raw_data.hassh.fingerprint | string | HASSH hash fingerprint string. |
-| GreyNoise.IP.raw_data.hassh.port | number | TCP port connection where the HASSH hash was identified. |
-| GreyNoise.Query.complete | boolean | Whether all results have been fetched or not. |
-| GreyNoise.Query.count | number | Count of the total matching records. |
-| GreyNoise.Query.message | string | Message from the API response. |
-| GreyNoise.Query.query | string | Query which was used to filter the records. |
-| GreyNoise.Query.scroll | string | Scroll token to paginate through results. |
-| GreyNoise.IP.bot | boolean | Whether the IP is associated with known bot activity or not. Common examples include credential stuffing, content scraping, or brute force attacks. |
+| **Path** | **Type** | **Description** |
+|-------------------------------------------------|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------|
+| GreyNoise.IP.address | string | The IP address of the scanning device IP. |
+| GreyNoise.IP.first_seen | date | The date the device was first observed by GreyNoise. Format is ISO8601. |
+| GreyNoise.IP.last_seen | date | The date the device was last observed by GreyNoise. Format is ISO8601. |
+| GreyNoise.IP.seen | boolean | IP is in record with GreyNoise. |
+| GreyNoise.IP.tags | array | A list of the tags the device has been assigned over the past 90 days. |
+| GreyNoise.IP.actor | string | The overt actor the device has been associated with. |
+| GreyNoise.IP.spoofable | boolean | Boolean indicates if IP is spoofable. |
+| GreyNoise.IP.classification | string | Whether the device has been categorized as unknown, benign, or malicious. |
+| GreyNoise.IP.cve | array | CVEs associated with IP. |
+| GreyNoise.IP.vpn | boolean | Whether the device is VPN endpoint or not. |
+| GreyNoise.IP.vpn_service | string | The name of the VPN service provider of the device. |
+| GreyNoise.IP.metadata.asn | string | The autonomous system identification number. |
+| GreyNoise.IP.metadata.city | string | The city the device is geographically located in. |
+| GreyNoise.IP.metadata.region | string | The full name of the region the device is geographically located in. |
+| GreyNoise.IP.metadata.country | string | The full name of the country. |
+| GreyNoise.IP.metadata.country_code | string | The two-character country code of the country. |
+| GreyNoise.IP.metadata.source_country | string | The full name of the country. |
+| GreyNoise.IP.metadata.source_country_code | string | The two-character country code of the country. |
+| GreyNoise.IP.metadata.destination_countries | string | The list of countries with observed scanning, by country name. |
+| GreyNoise.IP.metadata.destination_country_codes | string | The list of countries with observed scanning, by two-character country code. |
+| GreyNoise.IP.metadata.organization | string | The organization that owns the network that the IP address belongs to. |
+| GreyNoise.IP.metadata.category | string | Whether the device belongs to a business, isp, hosting, education, or mobile network. |
+| GreyNoise.IP.metadata.tor | boolean | Whether or not the device is a known Tor exit node. |
+| GreyNoise.IP.metadata.rdns | string | Reverse DNS lookup of the IP address. |
+| GreyNoise.IP.metadata.os | string | The name of the operating system of the device. |
+| GreyNoise.IP.metadata.sensor_hits | string | The number of GreyNoise sensors that observed scanning. |
+| GreyNoise.IP.metadata.sensor_count | string | The number of scanning events observed. |
+| GreyNoise.IP.raw_data.scan.port | number | The port number\(s\) the devices has been observed scanning. |
+| GreyNoise.IP.raw_data.scan.protocol | string | The protocol of the port the device has been observed scanning. |
+| GreyNoise.IP.raw_data.web.paths | array | Any HTTP paths the device has been observed crawling the Internet for. |
+| GreyNoise.IP.raw_data.web.useragents | array | Any HTTP user-agents the device has been observed using while crawling the Internet. |
+| GreyNoise.IP.raw_data.ja3.fingerprint | string | The JA3 TLS/SSL fingerprint. |
+| GreyNoise.IP.raw_data.ja3.port | number | The corresponding TCP port for the given JA3 fingerprint. |
+| GreyNoise.IP.raw_data.hassh.fingerprint | string | HASSH hash fingerprint string. |
+| GreyNoise.IP.raw_data.hassh.port | number | TCP port connection where the HASSH hash was identified. |
+| GreyNoise.Query.complete | boolean | Whether all results have been fetched or not. |
+| GreyNoise.Query.count | number | Count of the total matching records. |
+| GreyNoise.Query.message | string | Message from the API response. |
+| GreyNoise.Query.query | string | Query which was used to filter the records. |
+| GreyNoise.Query.scroll | string | Scroll token to paginate through results. |
+| GreyNoise.IP.bot | boolean | Whether the IP is associated with known bot activity or not. Common examples include credential stuffing, content scraping, or brute force attacks. |
#### Command Example
+
``` !greynoise-query spoofable=true size=1 advanced_query="spoofable:false" ```
#### Human Readable Output
+
### Total findings: 2846548
+
### IP Context
-|IP|Classification|Actor|CVE|Spoofable|VPN|First Seen|Last Seen|
-|---|---|---|---|---|---|---|---|
-| [71.6.135.131](https://viz.greynoise.io/ip/71.6.135.131) | benign | Shodan.io | CVE-1999-0526,
CVE-2013-6117,
CVE-2019-0708 | false | false | 2017-09-20 | 2021-02-03 |
+
+| IP |Classification|Actor| CVE |Spoofable|VPN|First Seen|Last Seen|
+|---------------|---|---|---------------------------------------------|---|---|---|---|
+| 71.6.135.131 | benign | Shodan.io | CVE-1999-0526 ,CVE-2013-6117, CVE-2019-0708 | false | false | 2017-09-20 | 2021-02-03 |
### Next Page Token:
+
DnF1ZXJ5VGhlbkZldGNoBQAAAAAcV1_HFkFKSExEdUc4VEtta2
-*To view the detailed query result please click [here](https://viz.greynoise.io/query/?gnql=spoofable:false).*
+*To view the detailed query result please click here.*
### greynoise-stats
+
***
Get aggregate statistics for the top organizations, actors, tags, ASNs, countries, classifications, and operating systems of all the results of a given GNQL query.
@@ -224,6 +259,7 @@ Get aggregate statistics for the top organizations, actors, tags, ASNs, countrie
#### Base Command
`greynoise-stats`
+
#### Input
| **Argument Name** | **Description** | **Required** |
@@ -232,90 +268,114 @@ Get aggregate statistics for the top organizations, actors, tags, ASNs, countrie
| spoofable | Whether the IP is spoofable or not. Possible values are: true, false. | Optional |
| actor | The benign actor the device has been associated with. | Optional |
| size | Maximum amount of results to grab. Default is 10. | Optional |
-| advanced_query | GNQL query to filter records.
Note: It merges other arguments and takes higher precedence over the same argument if supplied.
Example:
malicious,
spoofable:false SSH Scanner,
spoofable:false classification:benign tags:POP3 Scanner cve:CVE-2010-0103. | Optional |
+| advanced_query | GNQL query to filter records. Note: It merges other arguments and takes higher precedence over the same argument if supplied. Example: malicious, spoofable:false SSH Scanner, spoofable:false classification:benign tags:POP3 Scanner cve:CVE-2010-0103. | Optional |
| last_seen | The date the device was most recently observed by GreyNoise. Example: 1d, 2d, 12h, or 1m. | Optional |
| organization | The organization that owns the network that the IP address belongs to. | Optional |
#### Context Output
-| **Path** | **Type** | **Description** |
-| --- | --- | --- |
-| GreyNoise.Stats.query | string | The query which was used to filter the records. |
-| GreyNoise.Stats.count | number | Count of total aggregated records. |
-| GreyNoise.Stats.stats.classifications.classification | string | Classification name. |
-| GreyNoise.Stats.stats.classifications.count | number | Classification count. |
-| GreyNoise.Stats.stats.spoofable.spoofable | boolean | Whether records are spoofable or not. |
-| GreyNoise.Stats.stats.spoofable.count | number | Spoofable count. |
-| GreyNoise.Stats.stats.organizations.organization | string | Organization name. |
-| GreyNoise.Stats.stats.organizations.count | number | Organization count. |
-| GreyNoise.Stats.stats.actors.actor | string | Actor name. |
-| GreyNoise.Stats.stats.actors.count | number | Actor count. |
-| GreyNoise.Stats.stats.countries.country | string | Country name. |
-| GreyNoise.Stats.stats.countries.count | number | Country count. |
-| GreyNoise.Stats.stats.tags.tag | string | Tag name. |
-| GreyNoise.Stats.stats.tags.count | number | Tag count. |
+| **Path** | **Type** | **Description** |
+|----------------------------------------------------------| --- | --- |
+| GreyNoise.Stats.query | string | The query which was used to filter the records. |
+| GreyNoise.Stats.count | number | Count of total aggregated records. |
+| GreyNoise.Stats.stats.classifications.classification | string | Classification name. |
+| GreyNoise.Stats.stats.classifications.count | number | Classification count. |
+| GreyNoise.Stats.stats.spoofable.spoofable | boolean | Whether records are spoofable or not. |
+| GreyNoise.Stats.stats.spoofable.count | number | Spoofable count. |
+| GreyNoise.Stats.stats.organizations.organization | string | Organization name. |
+| GreyNoise.Stats.stats.organizations.count | number | Organization count. |
+| GreyNoise.Stats.stats.actors.actor | string | Actor name. |
+| GreyNoise.Stats.stats.actors.count | number | Actor count. |
+| GreyNoise.Stats.stats.countries.country | string | Country name. |
+| GreyNoise.Stats.stats.countries.count | number | Country count. |
+| GreyNoise.Stats.stats.source_countries.country | string | Country name. |
+| GreyNoise.Stats.stats.source_countries.count | number | Country count. |
+| GreyNoise.Stats.stats.destination_countries.country | string | Country name. |
+| GreyNoise.Stats.stats.destination_countries.count | number | Country count. |
+| GreyNoise.Stats.stats.tags.tag | string | Tag name. |
+| GreyNoise.Stats.stats.tags.count | number | Tag count. |
| GreyNoise.Stats.stats.operating_systems.operating_system | string | Operating system name. |
-| GreyNoise.Stats.stats.operating_systems.count | number | Operating system count. |
-| GreyNoise.Stats.stats.categories.category | string | Category name. |
-| GreyNoise.Stats.stats.categories.count | number | Category count. |
-| GreyNoise.Stats.stats.asns.asn | string | Asn name. |
-| GreyNoise.Stats.stats.asns.count | number | Asn count. |
+| GreyNoise.Stats.stats.operating_systems.count | number | Operating system count. |
+| GreyNoise.Stats.stats.categories.category | string | Category name. |
+| GreyNoise.Stats.stats.categories.count | number | Category count. |
+| GreyNoise.Stats.stats.asns.asn | string | Asn name. |
+| GreyNoise.Stats.stats.asns.count | number | Asn count. |
#### Command Example
+
``` !greynoise-stats spoofable=true size=2 advanced_query="spoofable:false ```
#### Human Readable Output
+
### Stats
+
### Query: spoofable:false Count: 2846548
+
### Classifications
+
|Classification|Count|
|---|---|
| unknown | 1838719 |
| malicious | 998758 |
### Spoofable
+
|Spoofable|Count|
|---|---|
| False | 2846548 |
### Organizations
+
|Organization|Count|
|---|---|
| CHINA UNICOM China169 Backbone | 252542 |
| CHINANET-BACKBONE | 244599 |
### Actors
+
|Actor|Count|
|---|---|
| GoogleBot | 2202 |
-### Countries
+### Source Countries
+
+|Country|Count|
+|---|---|
+| China | 562209 |
+| Iran | 376353 |
+
+### Destination Countries
+
|Country|Count|
|---|---|
| China | 562209 |
| Iran | 376353 |
### Tags
+
|Tag|Count|
|---|---|
| SMB Scanner | 592090 |
| Web Scanner | 578058 |
### Operating Systems
+
|Operating System|Count|
|---|---|
| Linux 2.2-3.x | 1202422 |
| Windows 7/8 | 727215 |
### Categories
+
|Category|Count|
|---|---|
| isp | 2263259 |
| mobile | 348306 |
### ASNs
+
|ASN|Count|
|---|---|
| AS4837 | 252542 |
@@ -324,57 +384,67 @@ Get aggregate statistics for the top organizations, actors, tags, ASNs, countrie
### greynoise-riot
+
***
Identify IPs from known benign services and organizations that commonly cause false positives in network security and threat intelligence products. The collection of IPs in RIOT is continually curated and verified to provide accurate results. These IPs are extremely unlikely to pose a threat to your network.
#### Base Command
`greynoise-riot`
+
#### Input
-| **Argument Name** | **Description** | **Required** |
-| --- | --- | --- |
-| ip | The IP address to be checked if it is potentially harmful or not. | Required |
+| **Argument Name** | **Description** | **Required** |
+|-------------------|-------------------------------------------------------------------|--------------|
+| ip | The IP address to be checked if it is potentially harmful or not. | Required |
#### Context Output
-| **Path** | **Type** | **Description** |
-| --- | --- | --- |
-| GreyNoise.Riot.ip | string | The IP given to check riot information about. |
-| GreyNoise.Riot.riot | string | The riot of the IP. "True" or "False" |
-| GreyNoise.Riot.category | string | The category of the IP if riot is "True". |
-| GreyNoise.Riot.name | string | The name of the IP if the riot is "True". |
-| GreyNoise.Riot.description | string | The description of the IP if riot is "True". |
-| GreyNoise.Riot.explanation | date | The explanation of the IP if riot is "True". |
-| GreyNoise.Riot.last_updated | string | The last updated time of the IP if the riot is "True". |
-| GreyNoise.Riot.reference | string | The reference of the IP if riot is "True". |
+| **Path** | **Type** | **Description** |
+|-----------------------------|----------|--------------------------------------------------------|
+| GreyNoise.Riot.ip | string | The IP given to check riot information about. |
+| GreyNoise.Riot.riot | string | The riot of the IP. "True" or "False" |
+| GreyNoise.Riot.category | string | The category of the IP if riot is "True". |
+| GreyNoise.Riot.name | string | The name of the IP if the riot is "True". |
+| GreyNoise.Riot.description | string | The description of the IP if riot is "True". |
+| GreyNoise.Riot.explanation | date | The explanation of the IP if riot is "True". |
+| GreyNoise.Riot.last_updated | string | The last updated time of the IP if the riot is "True". |
+| GreyNoise.Riot.reference | string | The reference of the IP if riot is "True". |
+| GreyNoise.Riot.trust_level | string | The trust_level of the IP if riot is "True". |
#### Command Example
+
``` !greynoise-riot ip="8.8.8.8" ```
#### Human Readable Output
+
### GreyNoise: IP Belongs to Common Business Service
+
|IP|Category|Name|Trust Level|Description|Last Updated|
|---|---|---|---|---|---|
-| [8.8.8.8](https://viz.greynoise.io/riot/8.8.8.8) | public_dns | Google Public DNS | 1 - Reasonably Ignore | Google's global domain name system (DNS) resolution service.|2021-04-12T05:55:35Z|
+| 8.8.8.8 | public_dns | Google Public DNS | 1 - Reasonably Ignore | Google's global domain name system (DNS) resolution service.|2021-04-12T05:55:35Z|
``` !greynoise-riot ip="114.119.130.178" ```
#### Human Readable Output
+
### GreyNoise: IP Not Found in RIOT
+
|IP|RIOT|
|---|---|
| 114.119.130.178| false |
### greynoise-context
+
***
Identify IPs that are mass-scanning the internet and identify what they are scanning for.
#### Base Command
`greynoise-context`
+
#### Input
| **Argument Name** | **Description** | **Required** |
@@ -384,56 +454,173 @@ Identify IPs that are mass-scanning the internet and identify what they are scan
#### Context Output
-| **Path** | **Type** | **Description** |
-| --- | --- | --- |
-| GreyNoise.IP.address | string | The IP address of the scanning device IP. |
-| GreyNoise.IP.first_seen | date | The date the device was first observed by GreyNoise. Format is ISO8601. |
-| GreyNoise.IP.last_seen | date | The date the device was last observed by GreyNoise. Format is ISO8601. |
-| GreyNoise.IP.seen | boolean | IP is in record with GreyNoise. |
-| GreyNoise.IP.tags | array | A list of the tags the device has been assigned over the past 90 days. |
-| GreyNoise.IP.actor | string | The overt actor the device has been associated with. |
-| GreyNoise.IP.spoofable | boolean | Boolean indicates if IP is spoofable. |
-| GreyNoise.IP.classification | string | Whether the device has been categorized as unknown, benign, or malicious. |
-| GreyNoise.IP.cve | array | CVEs associated with IP. |
-| GreyNoise.IP.vpn | boolean | Whether the device is VPN endpoint or not. |
-| GreyNoise.IP.vpn_service | string | The name of the VPN service provider of the device. |
-| GreyNoise.IP.bot | boolean | Whether belongs to common bot activity. |
-| GreyNoise.IP.metadata.asn | string | The autonomous system identification number. |
-| GreyNoise.IP.metadata.city | string | The city the device is geographically located in. |
-| GreyNoise.IP.metadata.region | string | The full name of the region the device is geographically located in. |
-| GreyNoise.IP.metadata.country | string | The full name of the country. |
-| GreyNoise.IP.metadata.country_code | string | The two-character country code of the country. |
-| GreyNoise.IP.metadata.organization | string | The organization that owns the network that the IP address belongs to. |
-| GreyNoise.IP.metadata.category | string | Whether the device belongs to a business, isp, hosting, education, or mobile network. |
-| GreyNoise.IP.metadata.tor | boolean | Whether or not the device is a known Tor exit node. |
-| GreyNoise.IP.metadata.rdns | string | Reverse DNS lookup of the IP address. |
-| GreyNoise.IP.metadata.os | string | The name of the operating system of the device. |
-| GreyNoise.IP.raw_data.scan.port | number | The port number\(s\) the devices has been observed scanning. |
-| GreyNoise.IP.raw_data.scan.protocol | string | The protocol of the port the device has been observed scanning. |
-| GreyNoise.IP.raw_data.web.paths | array | Any HTTP paths the device has been observed crawling the Internet for. |
-| GreyNoise.IP.raw_data.web.useragents | array | Any HTTP user-agents the device has been observed using while crawling the Internet. |
-| GreyNoise.IP.raw_data.ja3.fingerprint | string | The JA3 TLS/SSL fingerprint. |
-| GreyNoise.IP.raw_data.ja3.port | number | The corresponding TCP port for the given JA3 fingerprint. |
-| GreyNoise.IP.raw_data.hassh.fingerprint | string | HASSH hash fingerprint string. |
-| GreyNoise.IP.raw_data.hassh.port | number | TCP port connection where the HASSH hash was identified. |
+| **Path** | **Type** | **Description** |
+|-------------------------------------------------|----------|---------------------------------------------------------------------------------------|
+| GreyNoise.IP.address | string | The IP address of the scanning device IP. |
+| GreyNoise.IP.first_seen | date | The date the device was first observed by GreyNoise. Format is ISO8601. |
+| GreyNoise.IP.last_seen | date | The date the device was last observed by GreyNoise. Format is ISO8601. |
+| GreyNoise.IP.seen | boolean | IP is in record with GreyNoise. |
+| GreyNoise.IP.tags | array | A list of the tags the device has been assigned over the past 90 days. |
+| GreyNoise.IP.actor | string | The overt actor the device has been associated with. |
+| GreyNoise.IP.spoofable | boolean | Boolean indicates if IP is spoofable. |
+| GreyNoise.IP.classification | string | Whether the device has been categorized as unknown, benign, or malicious. |
+| GreyNoise.IP.cve | array | CVEs associated with IP. |
+| GreyNoise.IP.vpn | boolean | Whether the device is VPN endpoint or not. |
+| GreyNoise.IP.vpn_service | string | The name of the VPN service provider of the device. |
+| GreyNoise.IP.bot | boolean | Whether belongs to common bot activity. |
+| GreyNoise.IP.metadata.asn | string | The autonomous system identification number. |
+| GreyNoise.IP.metadata.city | string | The city the device is geographically located in. |
+| GreyNoise.IP.metadata.region | string | The full name of the region the device is geographically located in. |
+| GreyNoise.IP.metadata.country | string | The full name of the country. |
+| GreyNoise.IP.metadata.country_code | string | The two-character country code of the country. |
+| GreyNoise.IP.metadata.source_country | string | The full name of the country. |
+| GreyNoise.IP.metadata.source_country_code | string | The two-character country code of the country. |
+| GreyNoise.IP.metadata.destination_countries | string | The list of countries with observed scanning, by country name. |
+| GreyNoise.IP.metadata.destination_country_codes | string | The list of countries with observed scanning, by two-character country code. |
+| GreyNoise.IP.metadata.organization | string | The organization that owns the network that the IP address belongs to. |
+| GreyNoise.IP.metadata.category | string | Whether the device belongs to a business, isp, hosting, education, or mobile network. |
+| GreyNoise.IP.metadata.tor | boolean | Whether or not the device is a known Tor exit node. |
+| GreyNoise.IP.metadata.rdns | string | Reverse DNS lookup of the IP address. |
+| GreyNoise.IP.metadata.os | string | The name of the operating system of the device. |
+| GreyNoise.IP.metadata.sensor_hits | string | The number of GreyNoise sensors that observed scanning. |
+| GreyNoise.IP.metadata.sensor_count | string | The number of scanning events observed. |
+| GreyNoise.IP.raw_data.scan.port | number | The port number\(s\) the devices has been observed scanning. |
+| GreyNoise.IP.raw_data.scan.protocol | string | The protocol of the port the device has been observed scanning. |
+| GreyNoise.IP.raw_data.web.paths | array | Any HTTP paths the device has been observed crawling the Internet for. |
+| GreyNoise.IP.raw_data.web.useragents | array | Any HTTP user-agents the device has been observed using while crawling the Internet. |
+| GreyNoise.IP.raw_data.ja3.fingerprint | string | The JA3 TLS/SSL fingerprint. |
+| GreyNoise.IP.raw_data.ja3.port | number | The corresponding TCP port for the given JA3 fingerprint. |
+| GreyNoise.IP.raw_data.hassh.fingerprint | string | HASSH hash fingerprint string. |
+| GreyNoise.IP.raw_data.hassh.port | number | TCP port connection where the HASSH hash was identified. |
#### Command Example
+
``` !greynoise-context ip="66.249.68.82" ```
#### Human Readable Output
+
### Benign IP
+
IP: 66.249.68.82 found with Noise Reputation: Good
|IP|Classification|Actor|Tags|Spoofable|VPN|BOT|Tor|First Seen|Last Seen|
|---|---|---|---|---|---|---|---|---|---|
-| [66.249.68.82](https://www.greynoise.io/viz/ip/66.249.68.82) | 66.249.68.82 | GoogleBot | TLS/SSL Crawler, Web Crawler | false | false | false | false | 2021-05-30 | 2021-09-16 |
+| 66.249.68.82 | 66.249.68.82 | GoogleBot | TLS/SSL Crawler, Web Crawler | false | false | false | false | 2021-05-30 | 2021-09-16 |
``` !greynoise-context ip="114.119.130.178" ```
#### Human Readable Output
+
### Unidentified IP
+
IP: 103.21.244.0 No Mass-Internet Scanning Noise Found
|IP|Seen|
|---|---|
-| 103.21.244.0 | false |
\ No newline at end of file
+| 103.21.244.0 | false |
+
+
+### greynoise-similarity
+
+***
+Identify IPs with a similar internet scanning profile.
+
+#### Base Command
+
+`greynoise-similarity `
+
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- |----------------------------------------| --- |
+| ip | The IP address to find similar IPs for | Required |
+| minimum_score | The similar score to return results above. Valid from 85 to 100. Default is 90. | Optional |
+| maximum_results | The maximum number of similar results to return. Default is 50. | Optional |
+
+
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+|------------------------------------| --- | --- |
+| GreyNoise.Similar.ip | string | The IP address of the scanning device IP. |
+| GreyNoise.Similar.first_seen | date | The date the device was first observed by GreyNoise. Format is ISO8601. |
+| GreyNoise.Similar.last_seen | date | The date the device was last observed by GreyNoise. Format is ISO8601. |
+| GreyNoise.Similar.actor | string | The overt actor the device has been associated with. |
+| GreyNoise.Similar.classification | string | Whether the device has been categorized as unknown, benign, or malicious. |
+| GreyNoise.Similar.asn | string | The autonomous system identification number. |
+| GreyNoise.Similar.city | string | The city the device is geographically located in. |
+| GreyNoise.Similar.country | string | The full name of the country. |
+| GreyNoise.Similar.country_code | string | The two-character country code of the country. |
+| GreyNoise.Similar.organization | string | The organization that owns the network that the IP address belongs to. |
+| GreyNoise.Similar.similar_ips | array | Details of similar IPs |
+
+#### Command Example
+
+``` !greynoise-similarity ip="1.2.3.4" minimum_score="90" maximum_results="50"```
+
+#### Human Readable Output
+
+IP: 59.88.225.2 - Similar Internet Scanners found in GreyNoise
+Total Similar IPs with Score above 90%: 100
+Displaying 50 results below. To see all results, visit the GreyNoise Visualizer.
+GreyNoise Similar IPs
+
+| IP | Score | Classification | Actor | Organization | Last Seen | Similarity Features |
+|---------|-------|----------------|---------|--------------|------------|-----------------------|
+| 1.2.3.4 | 100 | malicious | unknown | GoogleBot | 2023-04-05 | ports,spoofable_bool |
+
+``` !greynoise-similarity ip="114.119.130.178" ```
+
+#### Human Readable Output
+
+GreyNoise Similarity Lookup returned No Results.
+
+### greynoise-similarity
+
+***
+Identify IPs with a similar internet scanning profile.
+
+#### Base Command
+
+`greynoise-similarity `
+
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+|-------------------|------------------------------------------------------------------------------------|--------------|
+| ip | The IP address to find similar IPs for | Required |
+| days | The number of days from today to get activity. Valid from 1 to 90. Default is 30. | Optional |
+| maximum_results | The maximum number of similar results to return. Default is 50. | Optional |
+
+
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+|-----------------------------------------|----------|-------------------------------------------|
+| GreyNoise.Timeline.ip | string | The IP address of the scanning device IP. |
+| GreyNoise.Timeline.metadata.start_time | date | The start time of the activity period |
+| GreyNoise.Timeline.metadata.end_time | date | The end time of the activity period |
+| GreyNoise.Timeline.metadata.limit | string | Limit of activity events returned |
+| GreyNoise.Timeline.metadata.next_cursor | string | Cursor value to pull next page of results |
+| GreyNoise.Timeline.activity | array | Daily activity summaries |
+
+#### Command Example
+
+``` !greynoise-timeline ip="1.1.2.2" days="30" maximum_results="30"```
+
+#### Human Readable Output
+
+IP: 45.164.214.212 - GreyNoise IP Timeline
+Internet Scanner Timeline Details - Daily Activity Summary
+
+| Date | Classification | Tags | rDNS | Organization | ASN | Ports | Web Paths | User Agents |
+|---------|----------------|-------------|-------------|--------------|---------|----------------------|------------|-----------------|
+| 1.2.3.4 | malicious | BruteForcer | me.acme.lcl | Acme, Inc | AS12345 | ports,spoofable_bool | /root/home | MozillaFirefox |
+
+``` !greynoise-timeline ip="1.1.2.2" days="30" maximum_results="30" ```
+
+#### Human Readable Output
+
+GreyNoise IP Timeline Returned No Results.
diff --git a/Packs/GreyNoise/Integrations/GreyNoise/test_data/input_data.py b/Packs/GreyNoise/Integrations/GreyNoise/test_data/input_data.py
index 3d3ce4ec46b0..86934d4c12be 100644
--- a/Packs/GreyNoise/Integrations/GreyNoise/test_data/input_data.py
+++ b/Packs/GreyNoise/Integrations/GreyNoise/test_data/input_data.py
@@ -68,7 +68,6 @@
),
]
-
ip_reputation_command_data = [
({"ip": "71.6.135.131"}, "positive", valid_ip_response, 200, valid_ip_response_expected), # NOSONAR
(
@@ -450,6 +449,136 @@
200, # NOSONAR
{"address": "71.6.135.131", "seen": False},
), # NOSONAR
- ({"ip": "123"}, "negative", "Invalid IP address: '123'", 200, "Invalid IP address: '123'"), # NOSONAR # NOSONAR
+ ({"ip": "123"}, "negative", "Invalid IP address: '123'", 200, "Invalid IP address: '123'"), # NOSONAR
({"ip": "abc"}, "negative", "forbidden", 200, "Invalid IP address: 'abc'"), # NOSONAR
]
+
+valid_similar_response = {
+ "ip": {
+ "actor": "unknown",
+ "asn": "AS4134",
+ "city": "Beijing",
+ "classification": "malicious",
+ "country": "China",
+ "country_code": "CN",
+ "first_seen": "2023-05-29",
+ "ip": "121.239.23.85",
+ "last_seen": "2023-05-30",
+ "organization": "CHINANET-BACKBONE"
+ },
+ "similar_ips": [
+ {
+ "actor": "unknown",
+ "asn": "AS1221",
+ "city": "Melbourne",
+ "classification": "unknown",
+ "country": "Australia",
+ "country_code": "AU",
+ "features": [
+ "ports",
+ "spoofable_bool"
+ ],
+ "first_seen": "2023-05-22",
+ "ip": "1.145.159.157",
+ "last_seen": "2023-05-23",
+ "organization": "Telstra Corporation Ltd",
+ "score": 1
+ }
+ ],
+ "total": 32368
+}
+
+valid_similar_response_expected = copy.deepcopy(valid_similar_response)
+
+similar_command_response_data = [
+ ({"ip": "71.6.135.131"}, "positive", valid_similar_response, 200, valid_similar_response_expected), # NOSONAR
+ ({"ip": "45.95.147.229"}, "positive", {
+ "ip": {
+ "actor": "unknown",
+ "asn": "AS49870",
+ "city": "Amsterdam",
+ "classification": "malicious",
+ "country": "Netherlands",
+ "country_code": "NL",
+ "first_seen": "2023-05-11",
+ "ip": "45.95.147.229",
+ "last_seen": "2023-05-30",
+ "organization": "Alsycon B.V."
+ },
+ "similar_ips": [],
+ "total": 0
+ }, 200, valid_similar_response_expected), # NOSONAR
+ ({"ip": "192.168.1.1"}, "negative", "Non-Routable IP address: '192.168.1.1'", 404, "Non-Routable IP address: "
+ "'192.168.1.1'"), # NOSONAR
+ ({"ip": "abc"}, "negative", "forbidden", 404, "Invalid IP address: 'abc'"), # NOSONAR
+]
+
+valid_timeline_response = {
+ "activity": [
+ {
+ "asn": "AS49870",
+ "category": "hosting",
+ "city": "Amsterdam",
+ "classification": "unknown",
+ "country": "Netherlands",
+ "country_code": "NL",
+ "destinations": [
+ {
+ "country": "Albania",
+ "country_code": "AL"
+ }
+ ],
+ "organization": "Alsycon B.V.",
+ "protocols": [
+ {
+ "app_protocol": "TELNET",
+ "port": 23,
+ "transport_protocol": "TCP"
+ }
+ ],
+ "rdns": "tittle.life",
+ "region": "North Holland",
+ "spoofable": "true",
+ "tags": [
+ {
+ "category": "tool",
+ "description": "IP addresses with this tag have been observed using the ZMap Internet scanner.",
+ "intention": "unknown",
+ "name": "ZMap Client"
+ }
+ ],
+ "timestamp": "2023-05-29T00:00:00Z",
+ "tor": "false",
+ "vpn": "false",
+ "vpn_service": ""
+ }
+ ],
+ "ip": "45.95.147.229",
+ "metadata": {
+ "end_time": "2023-05-30T18:43:30.604457229Z",
+ "ip": "45.95.147.229",
+ "limit": 50,
+ "next_cursor": "",
+ "start_time": "2023-05-29T00:00:00Z"
+ }
+}
+
+valid_timeline_response_expected = copy.deepcopy(valid_timeline_response)
+
+timeline_command_response_data = [
+ ({"ip": "45.95.147.229"}, "positive", valid_timeline_response, 200, valid_timeline_response_expected), # NOSONAR
+ ({"ip": "61.30.129.190"}, "positive", {
+ "activity": [],
+ "ip": "61.30.129.190",
+ "metadata": {
+ "end_time": "2023-05-30T18:46:34.662311004Z",
+ "ip": "61.30.129.190",
+ "limit": 50,
+ "next_cursor": "",
+ "start_time": "2023-05-29T00:00:00Z"
+ }
+ }, 200, valid_timeline_response_expected), # NOSONAR
+ ({"ip": "192.168.1.1"}, "negative", "Non-Routable IP address: '192.168.1.1'", 404, "Non-Routable IP address: "
+ "'192.168.1.1'"), # NOSONAR
+ ({"ip": "abc"}, "negative", "forbidden", 404, "Invalid IP address: 'abc'"), # NOSONAR
+]
diff --git a/Packs/GreyNoise/Integrations/GreyNoise/test_data/quick_check.md b/Packs/GreyNoise/Integrations/GreyNoise/test_data/quick_check.txt
similarity index 100%
rename from Packs/GreyNoise/Integrations/GreyNoise/test_data/quick_check.md
rename to Packs/GreyNoise/Integrations/GreyNoise/test_data/quick_check.txt
diff --git a/Packs/GreyNoise/Integrations/GreyNoise_Community/GreyNoise_Community.py b/Packs/GreyNoise/Integrations/GreyNoise_Community/GreyNoise_Community.py
index 9ba1447cb333..b1132e941f43 100644
--- a/Packs/GreyNoise/Integrations/GreyNoise_Community/GreyNoise_Community.py
+++ b/Packs/GreyNoise/Integrations/GreyNoise_Community/GreyNoise_Community.py
@@ -298,7 +298,7 @@ def main() -> None: # pragma: no cover
else:
packs = []
- pack_version = "1.2.0"
+ pack_version = "1.3.0"
if isinstance(packs, list):
for pack in packs:
if pack["name"] == "GreyNoise":
diff --git a/Packs/GreyNoise/Integrations/GreyNoise_Community/GreyNoise_Community_description.md b/Packs/GreyNoise/Integrations/GreyNoise_Community/GreyNoise_Community_description.md
index 806730124234..13cc31825f5e 100644
--- a/Packs/GreyNoise/Integrations/GreyNoise_Community/GreyNoise_Community_description.md
+++ b/Packs/GreyNoise/Integrations/GreyNoise_Community/GreyNoise_Community_description.md
@@ -1,5 +1,6 @@
To use GreyNoise on Cortex XSOAR, retrieve your user account's API key and enter it in the integration's configuration.
#### Configure an API account on GreyNoise
- - [Login](https://viz.greynoise.io/login) / [Register](https://viz.greynoise.io/signup) at GreyNoise
- - Once signed in, go to [Account Settings](https://viz.greynoise.io/account/) to get the API Key.
\ No newline at end of file
+
+- [Login](https://viz.greynoise.io/login) / [Register](https://viz.greynoise.io/signup) at GreyNoise
+- Once signed in, go to [Account Settings](https://viz.greynoise.io/account/) to get the API Key.
\ No newline at end of file
diff --git a/Packs/GreyNoise/Integrations/GreyNoise_Community/README.md b/Packs/GreyNoise/Integrations/GreyNoise_Community/README.md
index ffe25189c4bc..444b926563f8 100644
--- a/Packs/GreyNoise/Integrations/GreyNoise_Community/README.md
+++ b/Packs/GreyNoise/Integrations/GreyNoise_Community/README.md
@@ -22,10 +22,14 @@ Supported Cortex XSOAR versions: 5.5.0 and later.
| proxy | Use system proxy settings | False |
4. Click **Test** to validate the URLs, token, and connection.
+
## Commands
+
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.
+
### greynoise-community-lookup
+
***
Queries IPs in the GreyNoise Community API.
@@ -33,6 +37,7 @@ Queries IPs in the GreyNoise Community API.
#### Base Command
`ip`
+
#### Input
| **Argument Name** | **Description** | **Required** |
@@ -63,10 +68,15 @@ Queries IPs in the GreyNoise Community API.
#### Command Example
+
``` !greynoise-community-lookup ips=1.2.3.4 ```
+
#### Human Readable Output
+
### IP: 71.6.135.131 found with Reputation: Good
+
### GreyNoise Community IP Response
+
|IP|Noise|RIOT|Classification|Name|Link|Last Seen
|---|---|---|---|---|---|---|
-| 71.6.135.131 | true | false | benign | Shodan.io | https://viz.greynoise.io/ip/71.6.135.131 | 2021-02-03 |
\ No newline at end of file
+| 71.6.135.131 | true | false | benign | Shodan.io | | 2021-02-03 |
\ No newline at end of file
diff --git a/Packs/GreyNoise/Playbooks/Calculate_Severity_-_GreyNoise_README.md b/Packs/GreyNoise/Playbooks/Calculate_Severity_-_GreyNoise_README.md
index ebef4bcb60cc..d8448c3a5ffd 100644
--- a/Packs/GreyNoise/Playbooks/Calculate_Severity_-_GreyNoise_README.md
+++ b/Packs/GreyNoise/Playbooks/Calculate_Severity_-_GreyNoise_README.md
@@ -4,22 +4,28 @@ Calculate and assign the incident severity based on the highest returned severit
- Current incident severity
## Dependencies
+
This playbook uses the following sub-playbooks, integrations, and scripts.
### Sub-playbooks
-* Calculate Severity Highest DBotScore For Ingress Network Traffic - GreyNoise
-* Calculate Severity Highest DBotScore For Egress Network Traffic - GreyNoise
+
+- Calculate Severity Highest DBotScore For Ingress Network Traffic - GreyNoise
+- Calculate Severity Highest DBotScore For Egress Network Traffic - GreyNoise
### Integrations
+
This playbook does not use any integrations.
### Scripts
-* Set
+
+- Set
### Commands
-* setIncident
+
+- setIncident
## Playbook Inputs
+
---
| **Name** | **Description** | **Default Value** | **Required** |
@@ -28,6 +34,7 @@ This playbook does not use any integrations.
| NetworkTrafficDirection | The direction of network traffic event associated with the Incident\(Egress/Ingress\). If not supplied, Ingress is considered. | Egress | Optional |
## Playbook Outputs
+
---
| **Path** | **Description** | **Type** |
@@ -39,5 +46,6 @@ This playbook does not use any integrations.
| CriticalAssets.CriticalUserGroups | Critical user-groups involved in the incident. | unknown |
## Playbook Image
+
---
\ No newline at end of file
diff --git a/Packs/GreyNoise/Playbooks/Calculate_Severity_Highest_DBotScore_For_Egress_Network_Traffic_-_GreyNoise_README.md b/Packs/GreyNoise/Playbooks/Calculate_Severity_Highest_DBotScore_For_Egress_Network_Traffic_-_GreyNoise_README.md
index a3cfa5000b67..58de0e9969b8 100644
--- a/Packs/GreyNoise/Playbooks/Calculate_Severity_Highest_DBotScore_For_Egress_Network_Traffic_-_GreyNoise_README.md
+++ b/Packs/GreyNoise/Playbooks/Calculate_Severity_Highest_DBotScore_For_Egress_Network_Traffic_-_GreyNoise_README.md
@@ -1,22 +1,28 @@
Playbook to calculate the severity based on GreyNoise
## Dependencies
+
This playbook uses the following sub-playbooks, integrations, and scripts.
### Sub-playbooks
+
This playbook does not use any sub-playbooks.
### Integrations
+
* GreyNoise
### Scripts
+
* Set
* IsIntegrationAvailable
### Commands
+
* ip
## Playbook Inputs
+
---
| **Name** | **Description** | **Default Value** | **Required** |
@@ -24,6 +30,7 @@ This playbook does not use any sub-playbooks.
| DBotScore | Array of all indicators associated with the incident. | DBotScore | Optional |
## Playbook Outputs
+
---
| **Path** | **Description** | **Type** |
@@ -31,5 +38,6 @@ This playbook does not use any sub-playbooks.
| Severities.DBotScoreSeverity | The severity level of the incident identified and set in the Calculate Severity By GreyNoise Highest DBotScore playbook. | unknown |
## Playbook Image
+
---
\ No newline at end of file
diff --git a/Packs/GreyNoise/Playbooks/Calculate_Severity_Highest_DBotScore_For_Ingress_Network_Traffic_-_GreyNoise_README.md b/Packs/GreyNoise/Playbooks/Calculate_Severity_Highest_DBotScore_For_Ingress_Network_Traffic_-_GreyNoise_README.md
index 3a044e74a3f0..f39ab9d16a17 100644
--- a/Packs/GreyNoise/Playbooks/Calculate_Severity_Highest_DBotScore_For_Ingress_Network_Traffic_-_GreyNoise_README.md
+++ b/Packs/GreyNoise/Playbooks/Calculate_Severity_Highest_DBotScore_For_Ingress_Network_Traffic_-_GreyNoise_README.md
@@ -1,22 +1,28 @@
Playbook to calculate the severity based on GreyNoise
## Dependencies
+
This playbook uses the following sub-playbooks, integrations, and scripts.
### Sub-playbooks
+
This playbook does not use any sub-playbooks.
### Integrations
+
* GreyNoise
### Scripts
+
* IsIntegrationAvailable
* Set
### Commands
+
* ip
## Playbook Inputs
+
---
| **Name** | **Description** | **Default Value** | **Required** |
@@ -24,6 +30,7 @@ This playbook does not use any sub-playbooks.
| DBotScore | Array of all indicators associated with the incident. | DBotScore | Optional |
## Playbook Outputs
+
---
| **Path** | **Description** | **Type** |
@@ -31,5 +38,6 @@ This playbook does not use any sub-playbooks.
| Severities.DBotScoreSeverity | The severity level of the incident identified and set in the Calculate Severity By GreyNoise Highest DBotScore playbook. | unknown |
## Playbook Image
+
---
\ No newline at end of file
diff --git a/Packs/GreyNoise/Playbooks/IP_Reputation-GreyNoise_README.md b/Packs/GreyNoise/Playbooks/IP_Reputation-GreyNoise_README.md
index 9c7c4fba1b44..f0923eb35b8c 100644
--- a/Packs/GreyNoise/Playbooks/IP_Reputation-GreyNoise_README.md
+++ b/Packs/GreyNoise/Playbooks/IP_Reputation-GreyNoise_README.md
@@ -3,21 +3,27 @@ Supported Cortex XSOAR versions: 5.0.0 and later.
## Dependencies
+
This playbook uses the following sub-playbooks, integrations, and scripts.
### Sub-playbooks
+
This playbook does not use any sub-playbooks.
### Integrations
+
* GreyNoise
### Scripts
+
This playbook does not use any scripts.
### Commands
+
* ip
## Playbook Inputs
+
---
| **Name** | **Description** | **Default Value** | **Required** |
@@ -25,6 +31,7 @@ This playbook does not use any scripts.
| IP | The IP address to get reputation of. | IP.Address | Required |
## Playbook Outputs
+
---
| **Path** | **Description** | **Type** |
@@ -32,5 +39,6 @@ This playbook does not use any scripts.
| GreyNoise.IP.address | The IP address of the scanning device IP. | unknown |
## Playbook Image
+
---
\ No newline at end of file
diff --git a/Packs/GreyNoise/README.md b/Packs/GreyNoise/README.md
index 91e57d2a36ca..b2a0d10fbae5 100644
--- a/Packs/GreyNoise/README.md
+++ b/Packs/GreyNoise/README.md
@@ -4,9 +4,11 @@ more time to uncover and investigate true threats. Includes Actions to allow IP
the GreyNoise API.
##### What does this pack do?
+
The playbooks and actions in this pack help you to reduce Internet-Background noise and benign services from your
Incident Response work.
They also help automate repetitive tasks associated with routable IPv4 addresses:
+
- Query an IP to determine if it is Internet-Background Noise
- Query an IP to determine if it is a Benign Service
- Query the GreyNoise data set for common trends by looking for CVEs, paths, ports or fingerprints
@@ -14,6 +16,7 @@ They also help automate repetitive tasks associated with routable IPv4 addresses
- Calculate the severity of the incident using GreyNoise IP reputation data
This Pack Contains two Integrations: GreyNoise and GreyNoise Community
+
- GreyNoise: is intended for those users that have a Paid GreyNoise subscription
- GreyNoise Community: is intended for those users that use the free GreyNoise Community API
diff --git a/Packs/GreyNoise/ReleaseNotes/1_0_1.md b/Packs/GreyNoise/ReleaseNotes/1_0_1.md
index fb12010a71a7..2dcbb4afa981 100644
--- a/Packs/GreyNoise/ReleaseNotes/1_0_1.md
+++ b/Packs/GreyNoise/ReleaseNotes/1_0_1.md
@@ -1,5 +1,7 @@
#### Integrations
+
##### GreyNoise
+
- Added the ***greynoise-riot*** command.
- Updated the Docker image to: *demisto/greynoise:1.0.0.19143*.
diff --git a/Packs/GreyNoise/ReleaseNotes/1_0_2.md b/Packs/GreyNoise/ReleaseNotes/1_0_2.md
index 6e6f2cfdf01f..0be1cd0420eb 100644
--- a/Packs/GreyNoise/ReleaseNotes/1_0_2.md
+++ b/Packs/GreyNoise/ReleaseNotes/1_0_2.md
@@ -1,4 +1,6 @@
#### Integrations
+
##### GreyNoise
+
- Added GreyNoise Community Integration
diff --git a/Packs/GreyNoise/ReleaseNotes/1_0_3.md b/Packs/GreyNoise/ReleaseNotes/1_0_3.md
index c47d3437529f..6da136dbf9d1 100644
--- a/Packs/GreyNoise/ReleaseNotes/1_0_3.md
+++ b/Packs/GreyNoise/ReleaseNotes/1_0_3.md
@@ -1,3 +1,5 @@
#### Integrations
+
##### GreyNoise
+
- Maintenance and stability enhancements.
\ No newline at end of file
diff --git a/Packs/GreyNoise/ReleaseNotes/1_0_4.md b/Packs/GreyNoise/ReleaseNotes/1_0_4.md
index f40261323cdd..8674133f91fe 100644
--- a/Packs/GreyNoise/ReleaseNotes/1_0_4.md
+++ b/Packs/GreyNoise/ReleaseNotes/1_0_4.md
@@ -1,5 +1,9 @@
#### Integrations
+
##### GreyNoise
+
- Upgraded the Docker image to: *demisto/greynoise:1.0.0.23290*.
+
##### GreyNoise Community
+
- Upgraded the Docker image to: *demisto/greynoise:1.0.0.23290*.
diff --git a/Packs/GreyNoise/ReleaseNotes/1_0_5.md b/Packs/GreyNoise/ReleaseNotes/1_0_5.md
index 2cd6603ebc5c..61d236c0432a 100644
--- a/Packs/GreyNoise/ReleaseNotes/1_0_5.md
+++ b/Packs/GreyNoise/ReleaseNotes/1_0_5.md
@@ -1,5 +1,9 @@
#### Integrations
+
##### GreyNoise
+
- Updated the Docker image to: *demisto/greynoise:1.0.0.24037*.
+
##### GreyNoise Community
+
- Updated the Docker image to: *demisto/greynoise:1.0.0.24037*.
diff --git a/Packs/GreyNoise/ReleaseNotes/1_1_0.md b/Packs/GreyNoise/ReleaseNotes/1_1_0.md
index 5819cdc54c4b..818fdf6e40ca 100644
--- a/Packs/GreyNoise/ReleaseNotes/1_1_0.md
+++ b/Packs/GreyNoise/ReleaseNotes/1_1_0.md
@@ -1,5 +1,7 @@
#### Integrations
+
##### GreyNoise
+
- Fixed an issue where the ***test configuration*** command would constantly fail.
- Updated the ***ip*** command to perform both NOISE and RIOT lookups.
- Added the ***greynoise-context*** command to only perform NOISE lookup.
@@ -7,5 +9,7 @@
- Updated URL Hyperlink URLs to new Visualizer base URL.
- Update IP Context Table to include additional elements.
- Added a CVE lookup option to the ***query*** command.
+
##### GreyNoise Community
+
- Maintenance and stability enhancements
diff --git a/Packs/GreyNoise/ReleaseNotes/1_1_1.md b/Packs/GreyNoise/ReleaseNotes/1_1_1.md
index fc01eef1baa1..1d546b047804 100644
--- a/Packs/GreyNoise/ReleaseNotes/1_1_1.md
+++ b/Packs/GreyNoise/ReleaseNotes/1_1_1.md
@@ -1,5 +1,9 @@
#### Integrations
+
##### GreyNoise
+
- Fixed a bug to allow backward compatibility.
+
##### GreyNoise Community
+
- Fixed a bug to allow backward compatibility.
\ No newline at end of file
diff --git a/Packs/GreyNoise/ReleaseNotes/1_1_2.md b/Packs/GreyNoise/ReleaseNotes/1_1_2.md
index 443a4ff585a2..7435813bd0e0 100644
--- a/Packs/GreyNoise/ReleaseNotes/1_1_2.md
+++ b/Packs/GreyNoise/ReleaseNotes/1_1_2.md
@@ -1,5 +1,9 @@
#### Integrations
+
##### GreyNoise
+
- Updated the Docker image to: *demisto/greynoise:1.0.0.25543*.
+
##### GreyNoise Community
+
- Updated the Docker image to: *demisto/greynoise:1.0.0.25543*.
diff --git a/Packs/GreyNoise/ReleaseNotes/1_2_0.md b/Packs/GreyNoise/ReleaseNotes/1_2_0.md
index e88553dadb04..cc23702e0eb5 100644
--- a/Packs/GreyNoise/ReleaseNotes/1_2_0.md
+++ b/Packs/GreyNoise/ReleaseNotes/1_2_0.md
@@ -1,6 +1,10 @@
#### Integrations
+
##### GreyNoise
+
- Added support for IP enrichment commands to use Reliability option.
- Improved implementation ***greynoise-riot*** command output to match the RIOT section of the ***ip*** command output.
+
##### GreyNoise Community
+
- Added support for IP enrichment commands to use Reliability option.
\ No newline at end of file
diff --git a/Packs/GreyNoise/ReleaseNotes/1_2_1.md b/Packs/GreyNoise/ReleaseNotes/1_2_1.md
index 7f1032fd1790..0f14b4d66204 100644
--- a/Packs/GreyNoise/ReleaseNotes/1_2_1.md
+++ b/Packs/GreyNoise/ReleaseNotes/1_2_1.md
@@ -1,5 +1,9 @@
#### Integrations
+
##### GreyNoise
+
- Added support for the *feedExpirationPolicy* and *feedExpirationInterval* integration parameters.
+
##### GreyNoise Community
+
- Added support for the *feedExpirationPolicy* and *feedExpirationInterval* integration parameters.
\ No newline at end of file
diff --git a/Packs/GreyNoise/ReleaseNotes/1_2_10.md b/Packs/GreyNoise/ReleaseNotes/1_2_10.md
index 411b360f8799..20364df9bf52 100644
--- a/Packs/GreyNoise/ReleaseNotes/1_2_10.md
+++ b/Packs/GreyNoise/ReleaseNotes/1_2_10.md
@@ -1,3 +1,5 @@
#### Integrations
+
##### GreyNoise Community
+
- Updated the Docker image to: *demisto/greynoise:1.0.0.58795*.
diff --git a/Packs/GreyNoise/ReleaseNotes/1_2_2.md b/Packs/GreyNoise/ReleaseNotes/1_2_2.md
index 2f7ba81d3978..9ac70fd35189 100644
--- a/Packs/GreyNoise/ReleaseNotes/1_2_2.md
+++ b/Packs/GreyNoise/ReleaseNotes/1_2_2.md
@@ -1,3 +1,5 @@
#### Integrations
+
##### GreyNoise Community
+
- Updated the Docker image to: *demisto/greynoise:1.0.0.40774*.
diff --git a/Packs/GreyNoise/ReleaseNotes/1_2_3.md b/Packs/GreyNoise/ReleaseNotes/1_2_3.md
index 733c7930fbfa..3105dd7d03e3 100644
--- a/Packs/GreyNoise/ReleaseNotes/1_2_3.md
+++ b/Packs/GreyNoise/ReleaseNotes/1_2_3.md
@@ -1,3 +1,5 @@
#### Integrations
+
##### GreyNoise Community
+
- Updated the Docker image to: *demisto/greynoise:1.0.0.44806*.
diff --git a/Packs/GreyNoise/ReleaseNotes/1_2_4.md b/Packs/GreyNoise/ReleaseNotes/1_2_4.md
index 72a1b1b33509..57dfe64302d0 100644
--- a/Packs/GreyNoise/ReleaseNotes/1_2_4.md
+++ b/Packs/GreyNoise/ReleaseNotes/1_2_4.md
@@ -1,3 +1,5 @@
#### Integrations
+
##### GreyNoise Community
+
- Updated the Docker image to: *demisto/greynoise:1.0.0.47299*.
diff --git a/Packs/GreyNoise/ReleaseNotes/1_2_5.md b/Packs/GreyNoise/ReleaseNotes/1_2_5.md
index 3e1b8c35de72..aab035a84315 100644
--- a/Packs/GreyNoise/ReleaseNotes/1_2_5.md
+++ b/Packs/GreyNoise/ReleaseNotes/1_2_5.md
@@ -1,3 +1,5 @@
#### Integrations
+
##### GreyNoise Community
+
- Updated the Docker image to: *demisto/greynoise:1.0.0.48836*.
diff --git a/Packs/GreyNoise/ReleaseNotes/1_2_6.md b/Packs/GreyNoise/ReleaseNotes/1_2_6.md
index cbc5cc2fa426..5257e813be32 100644
--- a/Packs/GreyNoise/ReleaseNotes/1_2_6.md
+++ b/Packs/GreyNoise/ReleaseNotes/1_2_6.md
@@ -1,3 +1,5 @@
#### Integrations
+
##### GreyNoise Community
+
- Updated the Docker image to: *demisto/greynoise:1.0.0.51072*.
diff --git a/Packs/GreyNoise/ReleaseNotes/1_2_7.md b/Packs/GreyNoise/ReleaseNotes/1_2_7.md
index 7afd1b2798d1..c7f7ede0b866 100644
--- a/Packs/GreyNoise/ReleaseNotes/1_2_7.md
+++ b/Packs/GreyNoise/ReleaseNotes/1_2_7.md
@@ -1,3 +1,5 @@
#### Integrations
+
##### GreyNoise Community
+
- Updated the Docker image to: *demisto/greynoise:1.0.0.54455*.
diff --git a/Packs/GreyNoise/ReleaseNotes/1_2_9.md b/Packs/GreyNoise/ReleaseNotes/1_2_9.md
index 9fa4ab0269f9..5cab5c7265df 100644
--- a/Packs/GreyNoise/ReleaseNotes/1_2_9.md
+++ b/Packs/GreyNoise/ReleaseNotes/1_2_9.md
@@ -1,4 +1,5 @@
#### Integrations
##### GreyNoise
+
- Fixed an issue where ***test module*** command throws exception on XSOAR8 and XSIAM envs.
diff --git a/Packs/GreyNoise/ReleaseNotes/1_3_0.md b/Packs/GreyNoise/ReleaseNotes/1_3_0.md
new file mode 100644
index 000000000000..72a9d3cb26ec
--- /dev/null
+++ b/Packs/GreyNoise/ReleaseNotes/1_3_0.md
@@ -0,0 +1,12 @@
+#### Integrations
+
+##### GreyNoise
+
+- Added greynoise-similarity command
+- Added greynoise-timeline command
+- Updated schema for GNQL and IP Context responses to include new fields
+- Updated the Docker image to: *demisto/greynoise:1.0.0.61972*.
+
+##### GreyNoise Community
+
+- Updated the Docker image to: *demisto/greynoise:1.0.0.61972*.
diff --git a/Packs/GreyNoise/pack_metadata.json b/Packs/GreyNoise/pack_metadata.json
index 4fae17df44df..5e4f0ebcda74 100644
--- a/Packs/GreyNoise/pack_metadata.json
+++ b/Packs/GreyNoise/pack_metadata.json
@@ -2,7 +2,7 @@
"name": "GreyNoise",
"description": "GreyNoise is a threat intelligence service that collects and analyzes Internet-wide scan and attack traffic. With this integration, users can contextualize existing alerts, filter false-positives, identify compromised devices, and track emerging threats. The full integration code can be found here: https://github.com/demisto/content/tree/master/Packs/GreyNoise",
"support": "partner",
- "currentVersion": "1.2.11",
+ "currentVersion": "1.3.0",
"author": "GreyNoise",
"url": "https://greynoise.io",
"email": "support@greynoise.io",