Package Documentation

Storm Package: synapse-greynoise

The following Commands are available from this package. This documentation is generated for version 1.5.2 of the package.

Storm Commands

This package implements the following Storm Commands.

greynoise.community.ip

Query the GreyNoise Community API for IP context data.

The Community API provides community users with a free tool to query IPs
in the GreyNoise dataset and retrieve a subset of the full IP context data
returned by the IP Lookup API.

Examples:

  // Query the Community API using an inet:ipv4 node
  inet:ipv4=8.8.8.8 | greynoise.community.ip

  // Query the Community API using an inet:ipv4 node but do not apply tags
  inet:ipv4=8.8.8.8 | greynoise.community.ip --no-tags


Usage: greynoise.community.ip [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --no-tags                   : Do not record tags returned by the GreyNoise API.
  --asof <asof>               : This argument is deprecated and no longer has any effect.

greynoise.enrich

Query the GreyNoise IP quick check, RIOT, and IP Context APIs.

By default this command takes an inet:ipv4 node as input to query the IP quick check
API. Depending on the results of the IP quick check, the command will also RIOT
and/or IP Context APIs. The --no-quickcheck argument can be provided to skip the
quick check and just query both the RIOT and IP Context APIs.

Examples:

  // Enrich an inet:ipv4 node
  inet:ipv4=8.8.8.8 | greynoise.enrich

  // Enrich an inet:ipv4, querying both the RIOT and IP Context APIs without using the
  // IP quick check.
  inet:ipv4=8.8.8.8 | greynoise.enrich --no-quickcheck


Usage: greynoise.enrich [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --asof <asof>               : This argument is deprecated and no longer has any effect.
  --no-tags                   : Do not record tags returned by the GreyNoise API.
  --no-quickcheck             : Query both the RIOT and IP Context APIs without a quick check first.

greynoise.gnql.search

Query the GreyNoise GNQL search API.

This command takes a GNQL query as input to submit to the GreyNoise search API.
Results of the query will be used to create and enrich inet:ipv4 nodes with the
IP context data returned. More information on building GNQL queries can be
found in the GreyNoise API documentation at https://docs.greynoise.io/reference/gnqlquery-1

This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.

Examples:

  // Search for IPs that have been tagged as RDP scanners
  greynoise.gnql.search 'tags:"RDP Scanner"'

  // Search for all devices with a specific CVE
  greynoise.gnql.search 'cve:CVE-2020-9054'


Usage: greynoise.gnql.search [options] <query>

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --no-tags                   : Do not record tags returned by the GreyNoise API.
  --asof <asof>               : This argument is deprecated and no longer has any effect.
  --size <size>               : Limit the number of results ingested to the given size (per-node).

Arguments:

  <query>                     : The GNQL query to perform.

greynoise.gnql.stats

Query the GreyNoise GNQL stats API.

This command takes a GNQL query as input to submit to the GreyNoise GNQL stats API
and displays aggregate statistics for the top organizations, actors, tags, ASNs,
countries, classifications, and operating systems for the query results.

More information on building GNQL queries can be found in the GreyNoise API
documentation at https://docs.greynoise.io/reference/gnqlquery-1

Examples:

  // Search for things that have been tagged as RDP scanners
  greynoise.gnql.stats 'tags:"RDP Scanner"'


Usage: greynoise.gnql.stats [options] <query>

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --count <count>             : Number of top aggregates to grab. (default: 100)

Arguments:

  <query>                     : The GNQL query to perform.

greynoise.ipcontext

Query the GreyNoise IP context API.

This command takes an inet:ipv4 node as input and enriches it with data from the
GreyNoise IP context API. This API returns time ranges, IP metadata (network owner,
ASN, reverse DNS pointer, country), associated actors, activity tags, and raw port scan
and web request information.

Examples:

  // Query the IP context API using an inet:ipv4 node
  inet:ipv4=161.117.234.232 | greynoise.ipcontext

  // Query the IP context API using an inet:ipv4 node but do not apply tags
  inet:ipv4=161.117.234.232 | greynoise.ipcontext --no-tags


Usage: greynoise.ipcontext [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --no-tags                   : Do not record tags returned by the GreyNoise API.
  --asof <asof>               : This argument is deprecated and no longer has any effect.

greynoise.quickcheck

Query the GreyNoise IP quick check API.

This command takes an inet:ipv4 node as input to check whether a given IP address
is "Internet background noise", or has been observed scanning or attacking devices
across the Internet.

Examples:

  // Query the quick check API using an inet:ipv4 node
  inet:ipv4=8.8.8.8 | greynoise.quickcheck


Usage: greynoise.quickcheck [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --asof <asof>               : This argument is deprecated and no longer has any effect.

greynoise.riot

Query the GreyNoise RIOT API.

This command takes an inet:ipv4 node as input to check whether a given IP address
is present in the GreyNoise RIOT dataset of known benign services and organizations.

Examples:

  // Query the RIOT API using an inet:ipv4 node
  inet:ipv4=8.8.8.8 | greynoise.riot


Usage: greynoise.riot [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --asof <asof>               : This argument is deprecated and no longer has any effect.

greynoise.setup.apikey

Set the GreyNoise API key.


Usage: greynoise.setup.apikey [options] <apikey>

Options:

  --help                      : Display the command usage.
  --self                      : Set the key as a user variable. If not used, the key is set globally.

Arguments:

  <apikey>                    : The GreyNoise API key string.

greynoise.setup.tagprefix

Set the tag prefix used when recording GreyNoise tags.
The default tag prefix is "rep.greynoise" if not specified.

Any tags provided by a GreyNoise API will be added within the given namespace.
For example, the GreyNoise classification "benign" would result in
"#rep.greynoise.classification.benign".  Any characters incompatible with tag
names are replaced with "_".


Usage: greynoise.setup.tagprefix [options] <tagname>

Options:

  --help                      : Display the command usage.

Arguments:

  <tagname>                   : The tag prefix to use.

greynoise.status

Print out the results of calling the Greynoise /ping API


Usage: greynoise.status [options]

Options:

  --help                      : Display the command usage.

Storm Modules

This package does not export any Storm APIs.