From b07f98a036053fa3b62cd534267be28e6c76b4b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Viktor=20Sz=C3=A9pe?= Date: Wed, 25 Aug 2021 11:07:07 +0200 Subject: [PATCH] Shell improvements in GreyNoise-Canary script --- GreyNoise-Canary-Threat-Intel-Report.sh | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/GreyNoise-Canary-Threat-Intel-Report.sh b/GreyNoise-Canary-Threat-Intel-Report.sh index 8935f6d..8faef0b 100644 --- a/GreyNoise-Canary-Threat-Intel-Report.sh +++ b/GreyNoise-Canary-Threat-Intel-Report.sh @@ -4,18 +4,16 @@ # Canary support will be happy to enable API access to your console. See the README for further information. # Replace these placeholder values with your own -export CANARY_HASH="abcd1234" -export CANARY_TOKEN="11a2222bb3333c444d555e6f777ggg88" +CANARY_HASH="abcd1234" +CANARY_TOKEN="11a2222bb3333c444d555e6f777ggg88" +CANARY_IP_LIST="canary-ips-$(date +%Y-%m-%d).txt" # Query Canary API for all events, extract IPs, remove double quotes, and write to a text file for GreyNoise -curl https://$CANARY_HASH.canary.tools/api/v1/incidents/outside_bird/search -d auth_token=$CANARY_TOKEN -d node_ids="INSERT_NODE_IDS" -G | jq '.src_ips[] | .ip_address' | sed 's/\"//g' | cat > canary-ips-$(date +%Y-%m-%d).txt +curl "https://${CANARY_HASH}.canary.tools/api/v1/incidents/outside_bird/search -d auth_token=${CANARY_TOKEN}" -d node_ids="INSERT_NODE_IDS" -G \ + | jq --raw-output '.src_ips[] | .ip_address' > "${CANARY_IP_LIST}" # Read through each line of the text file, send each IP to the GreyNoise Community API for context, and write the results to a JSON file -file="canary-ips-$(date +%Y-%m-%d).txt" -lines=$(cat $file) - -for line in $lines +while read -r ip_address do - curl "https://api.greynoise.io/v3/community/$line" | jq '.' | cat >> GreyNoise-Canary-Threat-Intel-Report-$(date +%Y-%m-%d).json -done - + curl "https://api.greynoise.io/v3/community/${ip_address}" | jq '.' +done < "${CANARY_IP_LIST}" > "GreyNoise-Canary-Threat-Intel-Report-$(date +%Y-%m-%d).json"