Hi my name is Brad Chiappetta with GreyNoise and in this session, I'm going to be doing a basic review of the GreyNoise integration with Maltego. For those that are familiar with Maltego, we want to call out that there are two transforms sets that are available, there is a GreyNoise enterprise and a GreyNoise Community version of the transforms. For those that are using the Maltego Community Edition, you will only have access to the GreyNoise Community transform. The GreyNoise enterprise transform does require a paid version of the Maltego product.
Alright, so in addition to that information, we want to go ahead and just review the general details of what each of these has. You can see for the Community edition, there are some basic data allowances that are identified here, you can reach out to Maltego for more information there. But this transform includes just a simple lookup using the GreyNoise community API. And so you can use it with your GreyNoise community API key to go ahead and get access to an increased number of lookups. For that one, the GreyNoise enterprise transform includes access to the more comprehensive paid APIs that GreyNoise offers, including access to our noise context, employee, our riot, lookups, and some basic query endpoints as well.
Alright, so we'll go ahead and dive right in, I'm just going to open up a new graph here and show some of the basic functionality of what we're able to do with the transform. So being that GreyNoise is largely IPv4 based, we're gonna go ahead and add an IPv4 entity here, I'm just gonna go ahead and update the value here from the default one here. Alright, once we've included that, I'm going to go ahead and click on here, and I'm going to back out and I'm first going to show the great noise community transform. This is a very simple IP lookup, that is pulling back all of the data from the community API, and sort of presenting that to the user here on the graph. So you can see in this case, we're pulling back a classification. And whether or not it is internet noise, if this IP address was in our riot dataset.
So let's go ahead and give another example here. So we'll pull another entity in, we'll go ahead and enter something along the lines of quality. And we'll pass that through to the community endpoint as well. We'll pull that data back. And we'll see what that looks like. So not only do we get the classification, we also get this notification that says, hey, this is a common business service IP address, which means it's part of the right data set. And then you also get an indicator of who that provider is. So in this case, it's a Google public DNS IP address. There's also some data over here that's included in the detailed view, include a link out to the GreyNoise indicate a GreyNoise Visualizer. So you can see that data on our Visualizer. And then we've captured some of the additional details here. And for those IP addresses, that GreyNoise does not know anything about, we'll go ahead and just use this default IP address here. What you shouldn't get back here is just a simple response, that indicates that this IP address is not noise, which means that we have no information on this, it's not in either of our datasets.
Right, so I'm gonna go ahead and just open up another graph. And now we're going to do sort of this same exercise. But this time, we'll go ahead and we'll begin looking at the actual full paid APIs in the back end, right. So these are going to require you to have a full GreyNoise API key, when you're setting up the transform, you'll be prompted for that the first time that you use it. And then once you have that enabled to be able to go and use the GreyNoise enterprise here, set here, and you have a couple of different options. Alright. So in many cases, you're going to use to all details, which is going to pull in the most comprehensive response from the transform. And that's going to give you everything that we have on this IP address including classification, that that is noise. If we have the ASN information, we have accurate location information, and then our tags and associated ports that are being scanned for by that particular IP address.
So a couple of different places that you can pivot. So you can pivot from a tag here. And you now have the ability to find all of the IP address that brainwaves have seen scanning with the same tag. This is going to open up some additional inputs that are required for this. By default, we sort of recommend that you just use the Today option but you can look back a little bit further And then if you want it to filter and say, Hey, I'm curious about this behavior on a specific port or coming from a specific agent and or coming from a specific actor, you can go ahead and include that information. And that will be part of the query that is passed along. But when you go ahead and run this, this will go ahead, and it'll pull back all of the associated IP addresses that we have for this particular tag. And if we sort of scroll down and navigate here, we can then see what's available from this. And then if we wanted to, we can go ahead and select all of these. And then say, we want to go ahead and pull all of the details back on these as well. And we can sort of expand out the graph to see all of the different relationships between these IP addresses. And then again, Maltego allows you to transform these. And so you can see sort of that correlated information between all of the different ASN, the different locations, all of the different actors, and you can see where the overlap is. And you can see, again, a correlation back to all of our different classifications and whether or not they're internet noise or not, and what tag they belong to.
I'm gonna go ahead and open up another graph here, and give you an example of a couple of the other ways that you can do IP lookups. So I'm going to use our body an example here, to do a riot lookup. So if I do an IP right look up here, this is going to go ahead and hit the riot API and pull anything in here that we might know about this showing that is a common business service. So in this case, we're confirming just this IP addresses partner, right, it's a common business service, we're also giving it a RIOT classification. And saying, in this case, this is equivalent to a trust level 1, which means that you can reasonably ignore any activity going on here. And this is going to give you the indication of who owns this IP address. So you can understand sort of the the information that we provided with additional context. So in this case, this IP address is owned and operated as part of the Google Public DNS project. So if we go ahead and clear that out, we'll go ahead and dig into some of the additional ways and some of the more simplified data that you can pull back into the transforms. So I'm going to pull in a known IP address here. And then you'll see some of the other information that we have, I can go and say, you know, I want just the actor information, if it's available.
So in this particular case, I'm going to run this one, this one probably doesn't have an actor associated with it. So it'll go ahead and complete but not returning anything back to the to the graph here. I can say, hey, let me get organization information. Again, if it exists, we'll see what that is. And it'll get associated here. So in this case, we do have organization, I can come and say, Hey, is this one known to be scanning for any CVEs, and it's going to go ahead and run that. And if it is, it's going to go include those associated CVEs on the graph as well. So no CVEs on this particular one. So if we then say, hey, what ports is this one scanning on, I want to just focus on which ports it's going to be scanning on right now. And we'll wait for that to finish. And we can see that there is the ability for you to see that there is one port being scanned for by that particular IP address. Right. So from there, we're going to end take a look and see if there are any tags associated with this one. So we do that, and we see that there is an associated tag as well. And so you can sort of build each one of those components independently. So I'm gonna go ahead and grab another IP address here so that we can see a couple of the other examples. Alright, so we're gonna go ahead and clear this graph. We're going to add another IP address. And then in this case, I'm going to go ahead and I'm going to do my accurate lookup again, so that we can see that this is working.
Okay, fantastic. So we can see that this is a Shodan.io address. And then also, we want to see are CVEs working. So we're gonna say, hey, go ahead and give me the ability to scan for let me see if this IP address is scanning for any particular CVEs. And in this case, you can see the variety of CVEs, that it is in fact looking for, and scanning for as part of its behavior. You can pivot by CVEs, as well. So if you want to go in and say, let me see all of the IP addresses that are also scanning for this, we can pop that up. And then again, we have the additional inputs that you can put in here. Again, I do recommend that from the timestamp, you just mostly focus on what's happening today. And then again, you could see if there's anything else in here, so in this particular case, we just want to stay focused on shooting and see who else what other IP addresses from should and are going and actually looking for these.
So we're going to pick from there and see what other IP addresses we get returned today. Okay, and we can see that here is a variety of other IP addresses. And if we want to confirm, we can go ahead and do that actor lookup and say are these actually all associated should and that should be but we'll go ahead and from that the logic is all working correctly here. And we can see now that we get all those associated back. So here's a variety of Shodan IPs that are all actively scanning today and are all actively looking for this particular CVE today. Okay, now, you also have the ability to go ahead and pivot based on a tag. So I'm gonna go ahead and pull in a particular tag here. So take a look and see what tags this IP addresses scanning for. And then once those load, we can see sort of the variety of different things that it has. So we can see which one of these might be interested to what we're looking for. So in this particular case, let's go ahead and just use this try to one here. And we're gonna go ahead and see what other scanning IP addresses are also looking for this one. And we're gonna go ahead and use the same filters we use previously. And we're going to run that and wait for that to complete.
And since this is Shodan, it's likely that some of us will tie back to some of the IP addresses that we have on the graph already. And we'll see what happens. Oh, we've got no additional scanning behavior with this particular tag. So that was not a great one to use. There we go. Alright, just taking a very long time. So you can see all of the additional IP addresses here that it has added to show that are specifically looking for this tag. So again, you can see sort of the the full variety of what is happening there. Right. And that sort of covers the majority of the functionality of what the the transform has to offer. So again, we'll just sort of, you know, run through that one more time, just to reiterate everything. So we have the ability to take an IP address to check it against riot. And then to pull in all the details that we have from the noise database, we can also go ahead and pull in specifically just its actor, organization, CVEs, ports, or tags, and then all those different pivot points. So again, we can pick from a tag, we can pivot from a CVE, we can go ahead and we can pivot from an actor as well. So somewhere I have my actor tag on here. So here's our practice tag as well. So we can go ahead and pivot by that as well. So a whole bunch of different places that you can pivot within the transform graph, and pull in all that corresponding data from great noise.
That covers everything that we wanted to show through the integration today. If there are any further questions, or any clarifications, or if you have any enhancements or thoughts of the way that we can make this better and easier use for you really is willing to hear your feedback. So feel free to reach out to us on our community Slack or go ahead and email us at support@greynoise.io.
