GreyNoise

the greynoise connector provides insights into ip behavior by tapping into a vast collection of internet scan data, enabling users to differentiate between benign and malicious network traffic greynoise is a cybersecurity platform that filters and analyzes internet wide scan and attack traffic the greynoise connector for swimlane turbine enables users to query ip context data, perform detailed metadata lookups, and quickly check if an ip is part of the 'internet background noise' by integrating with greynoise, swimlane turbine users can enhance their security automation workflows with valuable insights into ip behavior, reducing the noise and focusing on threats that matter this is a connector for greynoise greynoise captures data on ips that scan the internet and saturate security tools with internet noise prerequisites to utilize the greynoise connector within swimlane turbine, ensure you have the following api key authentication with the necessary parameters url the endpoint url for greynoise api services api key your personal key to authenticate requests to greynoise capabilities this connector provides the following capabilities community api get ip lookup context get ip quick check get ip similarity lookup configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required key api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions community api retrieve a subset of ip context data for community users by querying the greynoise dataset with an ip address endpoint url /v3/community/{{ip}} method get input argument name type required description path parameters ip string required the ip address to query input example {"path parameters" {"ip" "8 8 8 8"}} output parameter type description status code number http status code of the response reason string response reason phrase ip string output field ip noise boolean output field noise riot boolean output field riot classification string output field classification name string name of the resource link string output field link last seen string output field last seen message string response message output example {"status code" 200,"response headers" {"date" "thu, 21 nov 2024 06 53 04 gmt","content type" "application/json; charset=utf 8","content length" "234","connection" "keep alive","x ratelimit limit" "25","x ratelimit remaining" "22","x ratelimit reset" "1732776563"},"reason" "ok","json body" {"ip" "8 8 8 8","noise"\ false,"riot"\ true,"classification" "benign","name" "google public dns","link" "https //viz greynoise io/ip/8 8 8 8","last seen" "2024 11 21","message" "success"}} get ip lookup context retrieve detailed metadata, actor associations, activity tags, and raw scan data for a specified ip address using greynoise endpoint url /v2/noise/context/{{ip}} method get input argument name type required description path parameters ip string required parameters for the get ip lookup context action input example {"path parameters" {"ip" "71 6 135 131"}} output parameter type description status code number http status code of the response reason string response reason phrase ip string output field ip seen boolean output field seen classification string output field classification first seen string output field first seen last seen string output field last seen actor string output field actor tags array output field tags spoofable boolean output field spoofable cve array output field cve vpn boolean output field vpn vpn service string output field vpn service metadata object response data metadata country string response data metadata country code string response data metadata city string response data metadata region string response data metadata organization string response data metadata rdns string response data metadata asn string response data metadata tor boolean response data metadata category string response data metadata os string response data metadata destination countries array response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" {"ip" "71 6 135 131","seen"\ true,"classification" "benign","first seen" "2018 01 28","last seen" "2018 2 28","actor" "shodan io","tags" \["mirai","telnet worm"],"spoofable"\ true,"cve" \["cve 2020 1234","cve 2021 2345"],"vpn"\ true,"vpn service" "ipvanish vpn","metadata" {"country" "united states","country code" "us","city" "seattle","regio get ip quick check performs a quick check on an ip address to determine if it's classified as 'internet background noise' or involved in scanning or attacks endpoint url /v2/noise/quick/{{ip}} method get input argument name type required description path parameters ip string required parameters for the get ip quick check action input example {"path parameters" {"ip" "71 6 135 131"}} output parameter type description status code number http status code of the response reason string response reason phrase code string output field code ip string output field ip noise boolean output field noise riot boolean output field riot output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" {"code" "0x01","ip" "71 6 135 131","noise"\ true,"riot"\ false}} get ip similarity lookup performs a similarity lookup for an ip address in greynoise; absence of data indicates no sufficient information or observations endpoint url /v3/similarity/ips/{{ip}} method get input argument name type required description path parameters ip string required parameters for the get ip similarity lookup action parameters limit number optional parameters for the get ip similarity lookup action parameters minimum score number optional parameters for the get ip similarity lookup action input example {"parameters" {"limit" 50,"minimum score" 0 85},"path parameters" {"ip" "71 6 135 131"}} output parameter type description status code number http status code of the response reason string response reason phrase ip object output field ip ip ip string output field ip ip ip actor string output field ip actor ip classification string output field ip classification ip first seen string output field ip first seen ip last seen string output field ip last seen ip asn string output field ip asn ip city string output field ip city ip country string output field ip country ip country code string output field ip country code ip organization string output field ip organization similar ips array output field similar ips similar ips ip string output field similar ips ip similar ips actor string output field similar ips actor similar ips classification string output field similar ips classification similar ips first seen string output field similar ips first seen similar ips last seen string output field similar ips last seen similar ips asn string output field similar ips asn similar ips city string output field similar ips city similar ips country string output field similar ips country similar ips country code string output field similar ips country code similar ips organization string output field similar ips organization similar ips score number score value output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 23 aug 2023 20 37 23 gmt"},"reason" "ok","json body" {"ip" {"ip" "71 6 135 131","actor" "shodan io","classification" "benign","first seen" "2018 01 28","last seen" "2018 2 28","asn" "as521","city" "seattle","country" "united states","country code" "us","organization" "digitalocean, llc"},"similar ips" \[{}]}} response headers header description example connection http response header connection keep alive content length the length of the response body in bytes 234 content type the media type of the resource application/json; charset=utf 8 date the date and time at which the message was originated wed, 23 aug 2023 20 37 23 gmt x ratelimit limit the number of requests allowed in the current rate limit window 25 x ratelimit remaining the number of requests remaining in the current rate limit window 22 x ratelimit reset the time at which the current rate limit window resets 1732776563