User Guide

Synapse-GreyNoise User Guide

Synapse-GreyNoise adds new Storm commands to allow you to query the GreyNoise API using your existing API key.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> greynoise.setup.apikey --self myapikey
Setting Synapse-GreyNoise API key for the current user.

Enrich an `inet:ipv4` with data from the GreyNoise Community API

The GreyNoise Community API does not require an API key and can be used to enrich inet:ipv4 nodes with a subset of the IP context available:

> [ inet:ipv4=8.8.8.8 ] | greynoise.community.ip
inet:ipv4=8.8.8.8
        .created = 2024/04/17 17:06:15.231
        .seen = ('2021/09/28 00:00:00.000', '2021/09/28 00:00:00.001')
        :_greynoise:class = benign
        :_greynoise:name = google public dns
        :_greynoise:noise = false
        :_greynoise:riot = true
        :_greynoise:seen = ('2021/09/28 00:00:00.000', '2021/09/28 00:00:00.001')
        :type = unicast

Enrich an `inet:ipv4` with data from the GreyNoise Quick Check API

> [ inet:ipv4=94.226.98.236 ] | greynoise.quickcheck
inet:ipv4=94.226.98.236
        .created = 2024/04/17 17:06:15.407
        :_greynoise:noise = true
        :_greynoise:riot = false
        :type = unicast

Enrich an `inet:ipv4` with data from the GreyNoise RIOT API

> [ inet:ipv4=8.8.4.4 ] | greynoise.riot
inet:ipv4=8.8.4.4
        .created = 2024/04/17 17:06:15.569
        :_greynoise:category = public_dns
        :_greynoise:name = google public dns
        :_greynoise:riot = true
        :_greynoise:trust = 1
        :_greynoise:updated = 2021/09/28 17:52:41.000
        :type = unicast

Enrich an `inet:ipv4` with data from the GreyNoise IP Context API

> [ inet:ipv4=94.226.98.236 ] | greynoise.ipcontext
inet:ipv4=94.226.98.236
        .created = 2024/04/17 17:06:15.407
        .seen = ('2019/11/08 00:00:00.000', '2021/09/28 00:00:00.001')
        :_greynoise:category = isp
        :_greynoise:class = malicious
        :_greynoise:noise = true
        :_greynoise:orgname = telenet bvba
        :_greynoise:riot = false
        :_greynoise:seen = ('2019/11/08 00:00:00.000', '2021/09/28 00:00:00.001')
        :asn = 6848
        :dns:rev = 94-226-98-236.access.telenet.be
        :loc = be.flanders.westerlo
        :type = unicast
        #rep.greynoise.generic_iot_brute_force_attempt
        #rep.greynoise.mirai
        #rep.greynoise.telnet_bruteforcer
        #rep.greynoise.web_crawler
        #rep.greynoise.zmap_client

Use a GNQL query to search

A GNQL query can be used to search the GreyNoise dataset:

> greynoise.gnql.search "cve:CVE-2020-9054"
inet:ipv4=37.0.8.38
        .created = 2024/04/17 17:06:16.182
        .seen = ('2021/09/24 00:00:00.000', '2021/09/27 00:00:00.001')
        :_greynoise:category = hosting
        :_greynoise:class = malicious
        :_greynoise:orgname = delis llc
        :_greynoise:seen = ('2021/09/24 00:00:00.000', '2021/09/27 00:00:00.001')
        :asn = 211252
        :dns:rev = jugg.water24s.xyz
        :loc = nl.utrecht.soest
        :type = unicast
        #rep.greynoise.chinanet_ssh_bruteforcer
        #rep.greynoise.cve_2020_9054
        #rep.greynoise.ssh_worm
        #rep.greynoise.web_crawler
        #rep.greynoise.zmap_client
        #rep.greynoise.zyxel_firewall_nas_rce

More information on building GNQL queries can be found in the GreyNoise API documentation

Check API key status

Display information about the API key in use:

> greynoise.status
expiration: 2021-10-07
message: pong
offering: enterprise_trial

Use of `meta:source` nodes

Synapse-GreyNoise uses a meta:source node and -(seen)> light weight edges to track nodes observed from the GreyNoise API.

> meta:source=510adcbf0dd722f1395232ef5647ed61
meta:source=510adcbf0dd722f1395232ef5647ed61
        .created = 2024/04/17 17:06:15.358
        :name = greynoise api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-GreyNoise. The following example shows how to filter the results of a query to include only results observed by Synapse-GreyNoise:

> inet:ipv4#myips +{ <(seen)- meta:source=510adcbf0dd722f1395232ef5647ed61 }
inet:ipv4=94.226.98.236
        .created = 2024/04/17 17:06:15.407
        .seen = ('2019/11/08 00:00:00.000', '2021/09/28 00:00:00.001')
        :_greynoise:category = isp
        :_greynoise:class = malicious
        :_greynoise:noise = true
        :_greynoise:orgname = telenet bvba
        :_greynoise:riot = false
        :_greynoise:seen = ('2019/11/08 00:00:00.000', '2021/09/28 00:00:00.001')
        :asn = 6848
        :dns:rev = 94-226-98-236.access.telenet.be
        :loc = be.flanders.westerlo
        :type = unicast
        #myips
        #rep.greynoise.generic_iot_brute_force_attempt
        #rep.greynoise.mirai
        #rep.greynoise.telnet_bruteforcer
        #rep.greynoise.web_crawler
        #rep.greynoise.zmap_client
inet:ipv4=37.0.8.38
        .created = 2024/04/17 17:06:16.182
        .seen = ('2021/09/24 00:00:00.000', '2021/09/27 00:00:00.001')
        :_greynoise:category = hosting
        :_greynoise:class = malicious
        :_greynoise:orgname = delis llc
        :_greynoise:seen = ('2021/09/24 00:00:00.000', '2021/09/27 00:00:00.001')
        :asn = 211252
        :dns:rev = jugg.water24s.xyz
        :loc = nl.utrecht.soest
        :type = unicast
        #myips
        #rep.greynoise.chinanet_ssh_bruteforcer
        #rep.greynoise.cve_2020_9054
        #rep.greynoise.ssh_worm
        #rep.greynoise.web_crawler
        #rep.greynoise.zmap_client
        #rep.greynoise.zyxel_firewall_nas_rce
inet:ipv4=8.8.8.8
        .created = 2024/04/17 17:06:15.231
        .seen = ('2021/09/28 00:00:00.000', '2021/09/28 00:00:00.001')
        :_greynoise:class = benign
        :_greynoise:name = google public dns
        :_greynoise:noise = false
        :_greynoise:riot = true
        :_greynoise:seen = ('2021/09/28 00:00:00.000', '2021/09/28 00:00:00.001')
        :type = unicast
        #myips