Package Documentation

Storm Package: synapse-greynoise

The following Commands are available from this package. This documentation is generated for version 2.0.0 of the package.

Storm Commands

This package implements the following Storm Commands.

greynoise.community.ip

Query the GreyNoise Community API for IP context data.

The Community API provides community users with a free tool to query IPs
in the GreyNoise dataset and retrieve a subset of the full IP context data
returned by the IP Lookup API.

Examples:

  // Query the Community API using an inet:ipv4 node
  inet:ipv4=8.8.8.8 | greynoise.community.ip

  // Query the Community API using an inet:ipv4 node but do not apply tags
  inet:ipv4=8.8.8.8 | greynoise.community.ip --no-tags


Endpoints:

  /v3/community/{ip}          : Query the GreyNoise Community API for an IP address.

Usage: greynoise.community.ip [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --no-tags                   : Do not record tags returned by the GreyNoise API.

Inputs:

  inet:ipv4                   : inet:ipv4 nodes

The command is accessible to users with one or more of the following permissions:

• power-ups.greynoise.user

greynoise.enrich

Enrich an inet:ipv4 node with GreyNoise data.

By default this command performs a quick check first to determine if the IP is
present in the GreyNoise noise or RIOT datasets. If so, it performs a full IP
lookup to retrieve detailed context including metadata, tags, and classification.
The --no-quickcheck argument skips the quick check and performs a full lookup directly.

Examples:

  // Enrich an inet:ipv4 node
  inet:ipv4=8.8.8.8 | greynoise.enrich

  // Enrich an inet:ipv4 node, performing a full lookup without a quick check first.
  inet:ipv4=8.8.8.8 | greynoise.enrich --no-quickcheck


Endpoints:

  /v3/ip/{ip}                 : Retrieve full IP context from the GreyNoise IP Lookup API.

Usage: greynoise.enrich [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --no-tags                   : Do not record tags returned by the GreyNoise API.
  --no-quickcheck             : Perform a full IP lookup without a quick check first.

Inputs:

  inet:ipv4                   : inet:ipv4 nodes

The command is accessible to users with one or more of the following permissions:

• power-ups.greynoise.user

greynoise.gnql.search

Query the GreyNoise GNQL search API.

This command takes a GNQL query as input to submit to the GreyNoise search API.
Results of the query will be used to create and enrich inet:ipv4 nodes with the
IP context data returned. More information on building GNQL queries can be
found in the GreyNoise API documentation at https://docs.greynoise.io/reference/gnqlv3query

This command will also create an it:exec:query node to represent the
query syntax and link resulting nodes to it via -(found)> edges.

Examples:

  // Search for IPs that have been tagged as RDP scanners
  greynoise.gnql.search 'tags:"RDP Scanner"'

  // Search for all devices with a specific CVE
  greynoise.gnql.search 'cve:CVE-2020-9054'


Endpoints:

  /v3/gnql                    : Search for IPs using GreyNoise Query Language (GNQL).

Usage: greynoise.gnql.search [options] <query>

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --no-tags                   : Do not record tags returned by the GreyNoise API.
  --size <size>               : Limit the number of results ingested to the given size (per-node).

Arguments:

  <query>                     : The GNQL query to perform.

The command is accessible to users with one or more of the following permissions:

• power-ups.greynoise.user

greynoise.gnql.stats

Query the GreyNoise GNQL stats API.

This command takes a GNQL query as input to submit to the GreyNoise GNQL stats API
and displays aggregate statistics for the top organizations, actors, tags, ASNs,
countries, classifications, and operating systems for the query results.

More information on building GNQL queries can be found in the GreyNoise API
documentation at https://docs.greynoise.io/reference/gnqlv3query

Examples:

  // Search for things that have been tagged as RDP scanners
  greynoise.gnql.stats 'tags:"RDP Scanner"'


Endpoints:

  /v3/gnql/stats              : Get aggregate statistics for a GNQL query.

Usage: greynoise.gnql.stats [options] <query>

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --count <count>             : Number of top aggregates to grab. (default: 100)

Arguments:

  <query>                     : The GNQL query to perform.

The command is accessible to users with one or more of the following permissions:

• power-ups.greynoise.user

greynoise.quickcheck

Query the GreyNoise IP quick check API.

This command takes an inet:ipv4 node as input to check whether a given IP address
is "Internet background noise", or has been observed scanning or attacking devices
across the Internet.

Examples:

  // Query the quick check API using an inet:ipv4 node
  inet:ipv4=8.8.8.8 | greynoise.quickcheck


Endpoints:

  /v3/ip/{ip}                 : Retrieve full IP context from the GreyNoise IP Lookup API.

Usage: greynoise.quickcheck [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.

Inputs:

  inet:ipv4                   : inet:ipv4 nodes

The command is accessible to users with one or more of the following permissions:

• power-ups.greynoise.user

greynoise.setup.apikey

Set the GreyNoise API key.


Usage: greynoise.setup.apikey [options] <apikey>

Options:

  --help                      : Display the command usage.
  --self                      : Set the key as a user variable. If not used, the key is set globally.

Arguments:

  <apikey>                    : The GreyNoise API key string.

The command is accessible to users with one or more of the following permissions:

• power-ups.greynoise.user

greynoise.setup.tagprefix

Set the tag prefix used when recording GreyNoise tags.
The default tag prefix is "rep.greynoise" if not specified.

Any tags provided by a GreyNoise API will be added within the given namespace.
For example, the GreyNoise classification "benign" would result in
"#rep.greynoise.classification.benign".  Any characters incompatible with tag
names are replaced with "_".


Usage: greynoise.setup.tagprefix [options] <tagname>

Options:

  --help                      : Display the command usage.

Arguments:

  <tagname>                   : The tag prefix to use.

The command is accessible to users with one or more of the following permissions:

• power-ups.greynosie.user

greynoise.status

Print out the results of calling the Greynoise /ping API


Endpoints:

  /ping                       : Check GreyNoise API status.

Usage: greynoise.status [options]

Options:

  --help                      : Display the command usage.

The command is accessible to users with one or more of the following permissions:

• power-ups.greynoise.user

Storm Modules

This package does not export any Storm APIs.