User Guide

Synapse-GreyNoise User Guide

Synapse-GreyNoise adds new Storm commands to allow you to query the GreyNoise API using your existing API key.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> greynoise.setup.apikey --self myapikey
Setting Synapse-GreyNoise API key for the current user.

Enrich an inet:ipv4 with data from the GreyNoise Community API

The GreyNoise Community API does not require an API key and can be used to enrich inet:ipv4 nodes with a subset of the IP context available:

> [ inet:ipv4=8.8.8.8 ] | greynoise.community.ip
inet:ipv4=8.8.8.8
        .created = 2024/12/20 18:03:24.411
        .seen = ('2021/09/28 00:00:00.000', '2021/09/28 00:00:00.001')
        :_greynoise:class = benign
        :_greynoise:name = google public dns
        :_greynoise:noise = false
        :_greynoise:riot = true
        :_greynoise:seen = ('2021/09/28 00:00:00.000', '2021/09/28 00:00:00.001')
        :type = unicast

Enrich an inet:ipv4 with data from the GreyNoise Quick Check API

> [ inet:ipv4=94.226.98.236 ] | greynoise.quickcheck
inet:ipv4=94.226.98.236
        .created = 2024/12/20 18:03:24.583
        :_greynoise:noise = true
        :_greynoise:riot = false
        :type = unicast

Enrich an inet:ipv4 with data from the GreyNoise RIOT API

> [ inet:ipv4=8.8.4.4 ] | greynoise.riot
inet:ipv4=8.8.4.4
        .created = 2024/12/20 18:03:24.742
        :_greynoise:category = public_dns
        :_greynoise:name = google public dns
        :_greynoise:riot = true
        :_greynoise:trust = 1
        :_greynoise:updated = 2021/09/28 17:52:41.000
        :type = unicast

Enrich an inet:ipv4 with data from the GreyNoise IP Context API

> [ inet:ipv4=94.226.98.236 ] | greynoise.ipcontext
inet:ipv4=94.226.98.236
        .created = 2024/12/20 18:03:24.583
        .seen = ('2019/11/08 00:00:00.000', '2021/09/28 00:00:00.001')
        :_greynoise:category = isp
        :_greynoise:class = malicious
        :_greynoise:noise = true
        :_greynoise:orgname = telenet bvba
        :_greynoise:riot = false
        :_greynoise:seen = ('2019/11/08 00:00:00.000', '2021/09/28 00:00:00.001')
        :asn = 6848
        :dns:rev = 94-226-98-236.access.telenet.be
        :loc = be.flanders.westerlo
        :type = unicast
        #rep.greynoise.generic_iot_brute_force_attempt
        #rep.greynoise.mirai
        #rep.greynoise.telnet_bruteforcer
        #rep.greynoise.web_crawler
        #rep.greynoise.zmap_client

Check API key status

Display information about the API key in use:

> greynoise.status
expiration: 2021-10-07
message: pong
offering: enterprise_trial

Use of meta:source nodes

Synapse-GreyNoise uses a meta:source node and -(seen)> light weight edges to track nodes observed from the GreyNoise API.

> meta:source=510adcbf0dd722f1395232ef5647ed61
meta:source=510adcbf0dd722f1395232ef5647ed61
        .created = 2024/12/20 18:03:24.535
        :name = greynoise api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-GreyNoise. The following example shows how to filter the results of a query to include only results observed by Synapse-GreyNoise:

> inet:ipv4#myips +{ <(seen)- meta:source=510adcbf0dd722f1395232ef5647ed61 }
inet:ipv4=94.226.98.236
        .created = 2024/12/20 18:03:24.583
        .seen = ('2019/11/08 00:00:00.000', '2021/09/28 00:00:00.001')
        :_greynoise:category = isp
        :_greynoise:class = malicious
        :_greynoise:noise = true
        :_greynoise:orgname = telenet bvba
        :_greynoise:riot = false
        :_greynoise:seen = ('2019/11/08 00:00:00.000', '2021/09/28 00:00:00.001')
        :asn = 6848
        :dns:rev = 94-226-98-236.access.telenet.be
        :loc = be.flanders.westerlo
        :type = unicast
        #myips
        #rep.greynoise.generic_iot_brute_force_attempt
        #rep.greynoise.mirai
        #rep.greynoise.telnet_bruteforcer
        #rep.greynoise.web_crawler
        #rep.greynoise.zmap_client
inet:ipv4=37.0.8.38
        .created = 2024/12/20 18:03:25.342
        .seen = ('2021/09/24 00:00:00.000', '2021/09/27 00:00:00.001')
        :_greynoise:category = hosting
        :_greynoise:class = malicious
        :_greynoise:orgname = delis llc
        :_greynoise:seen = ('2021/09/24 00:00:00.000', '2021/09/27 00:00:00.001')
        :asn = 211252
        :dns:rev = jugg.water24s.xyz
        :loc = nl.utrecht.soest
        :type = unicast
        #myips
        #rep.greynoise.chinanet_ssh_bruteforcer
        #rep.greynoise.cve_2020_9054
        #rep.greynoise.ssh_worm
        #rep.greynoise.web_crawler
        #rep.greynoise.zmap_client
        #rep.greynoise.zyxel_firewall_nas_rce
inet:ipv4=8.8.8.8
        .created = 2024/12/20 18:03:24.411
        .seen = ('2021/09/28 00:00:00.000', '2021/09/28 00:00:00.001')
        :_greynoise:class = benign
        :_greynoise:name = google public dns
        :_greynoise:noise = false
        :_greynoise:riot = true
        :_greynoise:seen = ('2021/09/28 00:00:00.000', '2021/09/28 00:00:00.001')
        :type = unicast
        #myips