User Guide
Synapse-GreyNoise User Guide
Synapse-GreyNoise adds new Storm commands to allow you to query the GreyNoise API using your existing API key.
Getting Started
Check with your Admin to enable permissions and find out if you need a personal API key.
Examples
Setting your personal API key
To set-up a personal use API key:
> greynoise.setup.apikey --self myapikey
Setting Synapse-GreyNoise API key for the current user.
Enrich an inet:ipv4
with data from the GreyNoise Community API
The GreyNoise Community API does not require an API key and can be used to enrich
inet:ipv4
nodes with a subset of the IP context available:
> [ inet:ipv4=8.8.8.8 ] | greynoise.community.ip
inet:ipv4=8.8.8.8
.created = 2024/12/20 18:03:24.411
.seen = ('2021/09/28 00:00:00.000', '2021/09/28 00:00:00.001')
:_greynoise:class = benign
:_greynoise:name = google public dns
:_greynoise:noise = false
:_greynoise:riot = true
:_greynoise:seen = ('2021/09/28 00:00:00.000', '2021/09/28 00:00:00.001')
:type = unicast
Enrich an inet:ipv4
with data from the GreyNoise Quick Check API
> [ inet:ipv4=94.226.98.236 ] | greynoise.quickcheck
inet:ipv4=94.226.98.236
.created = 2024/12/20 18:03:24.583
:_greynoise:noise = true
:_greynoise:riot = false
:type = unicast
Enrich an inet:ipv4
with data from the GreyNoise RIOT API
> [ inet:ipv4=8.8.4.4 ] | greynoise.riot
inet:ipv4=8.8.4.4
.created = 2024/12/20 18:03:24.742
:_greynoise:category = public_dns
:_greynoise:name = google public dns
:_greynoise:riot = true
:_greynoise:trust = 1
:_greynoise:updated = 2021/09/28 17:52:41.000
:type = unicast
Enrich an inet:ipv4
with data from the GreyNoise IP Context API
> [ inet:ipv4=94.226.98.236 ] | greynoise.ipcontext
inet:ipv4=94.226.98.236
.created = 2024/12/20 18:03:24.583
.seen = ('2019/11/08 00:00:00.000', '2021/09/28 00:00:00.001')
:_greynoise:category = isp
:_greynoise:class = malicious
:_greynoise:noise = true
:_greynoise:orgname = telenet bvba
:_greynoise:riot = false
:_greynoise:seen = ('2019/11/08 00:00:00.000', '2021/09/28 00:00:00.001')
:asn = 6848
:dns:rev = 94-226-98-236.access.telenet.be
:loc = be.flanders.westerlo
:type = unicast
#rep.greynoise.generic_iot_brute_force_attempt
#rep.greynoise.mirai
#rep.greynoise.telnet_bruteforcer
#rep.greynoise.web_crawler
#rep.greynoise.zmap_client
Use a GNQL query to search
A GNQL query can be used to search the GreyNoise dataset:
> greynoise.gnql.search "cve:CVE-2020-9054"
inet:ipv4=37.0.8.38
.created = 2024/12/20 18:03:25.342
.seen = ('2021/09/24 00:00:00.000', '2021/09/27 00:00:00.001')
:_greynoise:category = hosting
:_greynoise:class = malicious
:_greynoise:orgname = delis llc
:_greynoise:seen = ('2021/09/24 00:00:00.000', '2021/09/27 00:00:00.001')
:asn = 211252
:dns:rev = jugg.water24s.xyz
:loc = nl.utrecht.soest
:type = unicast
#rep.greynoise.chinanet_ssh_bruteforcer
#rep.greynoise.cve_2020_9054
#rep.greynoise.ssh_worm
#rep.greynoise.web_crawler
#rep.greynoise.zmap_client
#rep.greynoise.zyxel_firewall_nas_rce
More information on building GNQL queries can be found in the GreyNoise API documentation
Check API key status
Display information about the API key in use:
> greynoise.status
expiration: 2021-10-07
message: pong
offering: enterprise_trial
Use of meta:source
nodes
Synapse-GreyNoise uses a meta:source
node and -(seen)>
light
weight edges to track nodes observed from the GreyNoise API.
> meta:source=510adcbf0dd722f1395232ef5647ed61
meta:source=510adcbf0dd722f1395232ef5647ed61
.created = 2024/12/20 18:03:24.535
:name = greynoise api
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-GreyNoise. The following example shows how to filter the results of a query to include only results observed by Synapse-GreyNoise:
> inet:ipv4#myips +{ <(seen)- meta:source=510adcbf0dd722f1395232ef5647ed61 }
inet:ipv4=94.226.98.236
.created = 2024/12/20 18:03:24.583
.seen = ('2019/11/08 00:00:00.000', '2021/09/28 00:00:00.001')
:_greynoise:category = isp
:_greynoise:class = malicious
:_greynoise:noise = true
:_greynoise:orgname = telenet bvba
:_greynoise:riot = false
:_greynoise:seen = ('2019/11/08 00:00:00.000', '2021/09/28 00:00:00.001')
:asn = 6848
:dns:rev = 94-226-98-236.access.telenet.be
:loc = be.flanders.westerlo
:type = unicast
#myips
#rep.greynoise.generic_iot_brute_force_attempt
#rep.greynoise.mirai
#rep.greynoise.telnet_bruteforcer
#rep.greynoise.web_crawler
#rep.greynoise.zmap_client
inet:ipv4=37.0.8.38
.created = 2024/12/20 18:03:25.342
.seen = ('2021/09/24 00:00:00.000', '2021/09/27 00:00:00.001')
:_greynoise:category = hosting
:_greynoise:class = malicious
:_greynoise:orgname = delis llc
:_greynoise:seen = ('2021/09/24 00:00:00.000', '2021/09/27 00:00:00.001')
:asn = 211252
:dns:rev = jugg.water24s.xyz
:loc = nl.utrecht.soest
:type = unicast
#myips
#rep.greynoise.chinanet_ssh_bruteforcer
#rep.greynoise.cve_2020_9054
#rep.greynoise.ssh_worm
#rep.greynoise.web_crawler
#rep.greynoise.zmap_client
#rep.greynoise.zyxel_firewall_nas_rce
inet:ipv4=8.8.8.8
.created = 2024/12/20 18:03:24.411
.seen = ('2021/09/28 00:00:00.000', '2021/09/28 00:00:00.001')
:_greynoise:class = benign
:_greynoise:name = google public dns
:_greynoise:noise = false
:_greynoise:riot = true
:_greynoise:seen = ('2021/09/28 00:00:00.000', '2021/09/28 00:00:00.001')
:type = unicast
#myips