Hey everyone, this Brad Chiappetta and this is the GreyNoise XSOAR demo. Just wanted to go through the basics of what the GreyNoise pack has to offer and show some of the basics of how you can get value out of it right away.
So you can find the the GreyNoise pack by browsing in the XSOAR marketplace and installing it. Once it is installed, you'll go ahead and go over to Settings. And you can look for GreyNoise here, there's going to be both the GreyNoise and the GreyNoise Community pack. Today we're going to be focused on the full GreyNoise pack, which provides access to all of the paid components of the GreyNoise service. For reference, the GreyNoise Community pack is limited to a single action and is only accessing data available to our Community users.
As for setting up the integration, it is pretty straightforward and simple to do. As expected, you would go in, setup an instance and drop in your API key. You can run a quick test, ensure that the API key is valid, and then save and exit. And that's going to go ahead and enable the integration. There are a handful of custom commands and a few playbooks that are available. I’m going to review the playbooks first, just to show what those look like.
So if we search for GreyNoise in the playbooks, you'll see that there are a few different calculation and IP reputation playbooks. Each one of these goes through sort of a different set of modification of either an indicator or an incident to modify the priority with, based on the data that GreyNoise is providing on that particular indicator. We do have different ones for ingress versus egress traffic, as the logic is a little bit different for there. So you'll want to sort of review each one of those a little bit more in depth. The main difference is just the severity ratings that are displayed in the end for the indicators. Next, I'm going to go over and take a look at an incident that I brought in. So here's an incident that I have set up here in XSOAR. And what we've seen is that this incident has had a handful of indicators included in the investigation data, and each one of those indicators has been pulled out and enriched.
The GreyNoise pack automatically adds data to the IP reputation command. So if you're using the IP reputation command and some of your playbooks already, you'll see that the GreyNoise data automatically starts flowing in, and we're going to go ahead and impact the reputation here. And you'll see us listed as one of the sources that has enriched each one of those indicators. Once we are enabled, if you want to go ahead and dig into an indicator, we can go ahead and look at the full details. And we can see some of the data that GreyNoise has provided. So you can see that in this demo, we have both VirusTotal and GreyNoise enriching this indicator. And then by viewing the details of what the integration has returned, you can see that this IP address has come from the GreyNoise RIOT dataset. And we're indicating that it is a CDN. And so you can use this additional information to impact the investigation that you're doing.
After going back to the incident we can dig into another one of these just to see what else we have. So this is one that has been set as malicious. So if we again browse into those full details, we can see that VirusTotal has actually given us a good indication, while GreyNoise is indicating it as malicious. And you can see that the maliciousness is based off of the tag data that we've seen. And you can also get a full indication of what our classification is, if we've identified an actor, and if the traffic that we've observed from this is spoofable. Whether it's come from a VPN, whether it's known bot activity, or whether it's Tor exit node. Plus, you can see the first and last time data that we observed. As a reminder, GreyNoise is providing internet background noise data. And so what we're telling you is that this IP address has been observed scanning the internet, and there is some malicious intent behind what it is doing. And so you sort of want to take that into consideration as you're going through. Again, this is going to be just an opportunistic scan; it's not something that's necessarily going to be targeted at your environment. But you want to go ahead and proceed with your investigation with whatever your protocols and processes are for that data.
In addition, we're going to go back to our investigation and we're going to see what has been added to the war room. So for each one of the indicators, we can see, again, the full summary details here. You're able to go ahead and actually navigate out to a direct link to the Greynoise Visualizer, if you want to see the full data available on our Visualizer. You can also browse up and see the remaining information available here.
Some additional things that we can look for, we can see if any of these have CVEs associated with it. So what this is indicating is that this particular IP address has been known to search for this CVE. So something that may be of interest, and something else that you can do, is see what else GreyNoise knows about this particular CVE and what its scanning profile looks like. So if we do a GreyNoise custom query down here, and we say we want to go ahead and pass it a CVE, we pop in that CVE number, and we run this, that's going to add that query to our war room, so we can see that additional context. And you can see that there have been quite a few IP addresses out there scanning for the CVE. This is likely associated with EternalBlue and that's why we're seeing so many hits. So that is one of the many pivot points that you can do.
Again, from our custom commands, you can see that we have a context command, which is going to do an IP check to see if it's part of our internet scanning database. We can do a quick check, which is going to just give you a quick yes, no on a particular IP address. So let me show you an example of that one. So if we do a quick check on just something simple, say, quad1 (1.1.1.1) here, we pass it in, and we can see what's returned. So again, we're just going to get that quick look up and say, “Is it internet noise?” No, it is not, is it in RIOT, which means is it a common business service. And we get a true response on that as well along some additional information. Additionally, we also have the query which I've shown, we also have a straight RIOT lookup, so if you want to go ahead and see if an IP address just belongs to a common business service, you can pass an IP to that.
And then if you want to get stats, which we're going to say, is basically sort of built on a query. So for instance, let's say we want to go ahead and just see what's going on with GreyNoise for the last day, we can do a last seen one day with stats. And this is just going to give us some of the overview information to see what GreyNoise has seen. So GreyNoise as observed 200,000 IP addresses. Here's the breakdown of their classifications, how many are suitable or not, the top organizations we're seeing, and the top actors. And again, if you want to browse out to the full data, you can see the full data table as you expand out the results of this action and see all of the different statistics that have come back for what we have seen in the last day.
Then we can also go ahead and take a look at our work plan to see what was used here. So in this case, I was using the IP reputation command. So we've determined, “Are there IP addresses to enrich in here? Is GreyNoise enabled?” And then we're going to go ahead and ensure that we run that GreyNoise IP reputation. So, very simple, very straightforward, just to ensure that GreyNoise is in fact enriching all of those external IP addresses as they come in.
I'm now going to navigate out and see if I can find another playbook here. If we look at our last 30 days, we go ahead and pull in, looking at an incident that contains a whole bunch of external IP addresses, all of the data, again, parsed out with GreyNoise enriching the data where we can. And then if we go ahead and look at the work plan here, in this case, we've used our ingress network traffic, and what we're actually going through here is we're getting the IP enrichment data from GreyNoise, and then we're actually modifying the severity of the incident to medium, based on what we've actually seen. So in this particular case, you can see our severity has been set as medium. And based on the logic you want to build in, you can go ahead and modify this to whatever meets your typical SLA and procedures around this kind of data.
And that is the GreyNoise integration in a nutshell. If you have any further questions, you can always reach out to us at support@greynoise.io. Thanks!
