GreyNoise

the greynoise connector provides insights into ip behavior by tapping into a vast collection of internet scan data, enabling users to differentiate between benign and malicious network traffic greynoise is a cybersecurity platform that filters and analyzes internet wide scan and attack traffic the greynoise connector for swimlane turbine enables users to query ip context data, perform detailed metadata lookups, and quickly check if an ip is part of the 'internet background noise' by integrating with greynoise, swimlane turbine users can enhance their security automation workflows with valuable insights into ip behavior, reducing the noise and focusing on threats that matter this is a connector for greynoise greynoise captures data on ips that scan the internet and saturate security tools with internet noise prerequisites to utilize the greynoise connector within swimlane turbine, ensure you have the following api key authentication with the necessary parameters url the endpoint url for greynoise api services api key your personal key to authenticate requests to greynoise capabilities this connector provides the following capabilities community api get ip lookup context get ip quick check get ip similarity lookup configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required key api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions community api retrieve a subset of ip context data for community users by querying the greynoise dataset with an ip address endpoint url /v3/community/{{ip}} method get input argument name type required description ip string required the ip address to query output parameter type description status code number http status code of the response reason string response reason phrase ip string output field ip noise boolean output field noise riot boolean output field riot classification string output field classification name string name of the resource link string output field link last seen string output field last seen message string response message example \[ { "status code" 200, "response headers" { "date" "thu, 21 nov 2024 06 53 04 gmt", "content type" "application/json; charset=utf 8", "content length" "234", "connection" "keep alive", "x ratelimit limit" "25", "x ratelimit remaining" "22", "x ratelimit reset" "1732776563" }, "reason" "ok", "json body" { "ip" "8 8 8 8", "noise" false, "riot" true, "classification" "benign", "name" "google public dns", "link" "https //viz greynoise io/ip/8 8 8 8", "last seen" "2024 11 21", "message" "success" } } ] get ip lookup context retrieve detailed metadata, actor associations, activity tags, and raw scan data for a specified ip address using greynoise endpoint url /v2/noise/context/{{ip}} method get input argument name type required description ip string required parameter for get ip lookup context output parameter type description status code number http status code of the response reason string response reason phrase ip string output field ip seen boolean output field seen classification string output field classification first seen string output field first seen last seen string output field last seen actor string output field actor tags array output field tags spoofable boolean output field spoofable cve array output field cve vpn boolean output field vpn vpn service string output field vpn service metadata object response data country string output field country country code string output field country code city string output field city region string output field region organization string output field organization rdns string output field rdns asn string output field asn tor boolean output field tor category string output field category os string output field os destination countries array output field destination countries example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 23 aug 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "ip" "71 6 135 131", "seen" true, "classification" "benign", "first seen" "2018 01 28", "last seen" "2018 2 28", "actor" "shodan io", "tags" \[], "spoofable" true, "cve" \[], "vpn" true, "vpn service" "ipvanish vpn", "metadata" {}, "raw data" {} } } ] get ip quick check performs a quick check on an ip address to determine if it's classified as 'internet background noise' or involved in scanning or attacks endpoint url /v2/noise/quick/{{ip}} method get input argument name type required description ip string required parameter for get ip quick check output parameter type description status code number http status code of the response reason string response reason phrase code string output field code ip string output field ip noise boolean output field noise riot boolean output field riot example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 23 aug 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "code" "0x01", "ip" "71 6 135 131", "noise" true, "riot" false } } ] get ip similarity lookup performs a similarity lookup for an ip address in greynoise; absence of data indicates no sufficient information or observations endpoint url /v3/similarity/ips/{{ip}} method get input argument name type required description ip string required parameter for get ip similarity lookup limit number optional parameter for get ip similarity lookup minimum score number optional score value output parameter type description status code number http status code of the response reason string response reason phrase ip object output field ip ip string output field ip actor string output field actor classification string output field classification first seen string output field first seen last seen string output field last seen asn string output field asn city string output field city country string output field country country code string output field country code organization string output field organization similar ips array output field similar ips ip string output field ip actor string output field actor classification string output field classification first seen string output field first seen last seen string output field last seen asn string output field asn city string output field city country string output field country country code string output field country code organization string output field organization score number score value example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 23 aug 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "ip" {}, "similar ips" \[] } } ] response headers header description example connection http response header connection keep alive content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated wed, 23 aug 2023 20 37 23 gmt x ratelimit limit the number of requests allowed in the current rate limit window 25 x ratelimit remaining the number of requests remaining in the current rate limit window 22 x ratelimit reset the time at which the current rate limit window resets 1732776563