GreyNoise Intelligence
App Vendor: GreyNoise
App Category: Data Enrichment & Threat Intelligence
Connector Version: 2.0.0
API Version: v3
Note
After upgrading to a major version, reconfigure the app instance to ensure existing playbooks continue to work.
About App
The GreyNoise intelligence app allows users to query, retrieve, and analyze intelligence data related to IPs, vulnerabilities, and tags, supporting informed threat investigation and analysis workflows. This app enables both GreyNoise Enterprise and community users to access threat intelligence.
The GreyNoise Intelligence app is configured with Cyware Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Bulk CVE Lookup | This action retrieves information about multiple cves in a single request, with the level of detail depending on user entitlements. |
Generic Action | This is a generic action used to make requests to any GreyNoise Intelligence endpoint. |
Get GNQL Metadata | This action retrieves IP intelligence data using a GNQL query while automatically excluding raw scan data for increased efficiency. |
Get IP Activity Timeline | This action retrieves a summary of historical noise activity for an IP address based on specific metadata fields. |
List Tags | This action retrieves a list of GreyNoise tags and their associated metadata, including category, intention, and references. |
Lookup IP | This action retrieves a comprehensive profile of an IP address, including network owner, ASN, and associated threat actors. |
Lookup Multiple IPs | This action retrieves information from GreyNoise for a submitted set of IP addresses. |
Perform GNQL Query | This action retrieves ip data matching a specific GreyNoise Query Language (GNQL) string. |
Recall GNQL V3 Records | This action retrieves hourly GNQL records for a specific time range. |
Recall GNQL V3 Stats | This action retrieves the number of unique IPs that match a GNQL query for each hour or day in a specified time range. |
Configuration Parameters
The following configuration parameters are required for the GreyNoise Intelligence app to communicate with the GreyNoise Intelligence enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
API Key | Enter the API key to authenticate your requests with the GreyNoise platform. | Password | Required | |
Base URL | Enter the base URL to access the GreyNoise API. | Text | Optional | Default value: https://api.greynoise.io. |
Verify | Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in connection errors. | Boolean | Optional | By default, verification is enabled. |
Timeout | Enter the timeout value (in seconds) for the API request. | Integer | Optional | Allowed range: 15-120 Default value: 15 |
Action: Bulk CVE Lookup
This action retrieves information about multiple CVEs in a single request, with the level of detail depending on user entitlements.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
CVE IDs | Enter the array of CVE IDs to look up. Example: $LIST[cve-2021-44228,cve-2023-3519]. | List | Required | You can include up to 10,000 ids per request. |
Example Request
[
{
"cve_ids": [
"CVE-2024-31396",
"CVE-2024-31395"
]
}
]Action: Get GNQL Metadata
This action retrieves IP intelligence data using a GNQL query while automatically excluding raw scan data for increased efficiency.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter a valid GNQL query string to retrieve matching IP intelligence. Example: classification:malicious and last_seen:1m | Text | Required | |
Page Size | Enter the maximum number of results to retrieve on each page. | Integer | Optional | Allowed range: 1 to 10000 Default value: 10000 |
Quick Response | Choose true if the response should only include the IP address and classification. | Boolean | Optional | Default value: false |
Exclude Fields | Enter a comma-separated list of additional fields to exclude from the response. The raw_data field is automatically excluded. | Text | Optional | Example: 'last_seen' |
Scroll Token | Enter the scroll token received from a previous query response to retrieve subsequent pages of results. | Text | Optional |
Example Request
[
{
"size": "10",
"query": "classification:malicious last_seen:1d",
"quick": true
}
]Action: Get IP Activity Timeline
This action retrieves a summary of historical noise activity for an IP address based on specific metadata fields.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IP Address | Enter the IPv4 address to investigate for historical activity. Example: 8.8.8.8 | Text | Required | |
Days | Enter the total number of days to include in the timeline results. | Text | Optional | Default value: 1 |
Summary Field | Select the metadata field to summarize noise activity by to analyze how activity is distributed across a specific attribute. | Single-select | Optional | Allowed values: destination_port, http_path, http_user_agent, source_asn, source_org, source_rdns, tag_ids, classification. Default value: classification |
Granularity | Enter the time interval to group noise activity in the timeline. | Text | Optional | Use hours (h) to view detailed activity or days (d) to view broader trends. Allowed range: For hours is 1h to 24h, and for days is 1d to 90d. Default value: 1d |
Example Request
[
{
"ip": "8.8.8.8",
"days": "1",
"field": "classification"
}
]Action: List Tags
This action retrieves a list of GreyNoise tags and their associated metadata, including category, intention, and references.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Tag Name | Enter the tag name to retrieve tags. This also retrieves tags with names that partially match the specified value. Example: log4j | Text | Optional | |
Tag Slug | Enter the exact slug of the tag to filter by. Example: log4j-rce | Text | Optional | |
CVE ID | Enter the CVE ID associated with the tag to filter results by. Example: cve-2021-44228 | Text | Optional |
Action: Lookup IP
This action retrieves a comprehensive profile of an IP address, including network owner, ASN, and associated threat actors.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IP Address | Enter the IP address to query against the GreyNoise intelligence database. Example: 8.8.8.8 | Text | Required | |
Quick Response | Choose true if you want a faster response containing only the classification and trust level. | Boolean | Optional | Default value: false |
Example Request
[
{
"ips": [
"1.2.3.4"
],
"quick": true
}
]Action: Lookup Multiple IPs
This action retrieves information from GreyNoise for a submitted set of IP addresses.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Ip Addresses | Enter the list of IP addresses to retrieve intelligence for multiple hosts in a single request. Example: $LIST[8.8.8.8] | List | Required | |
Quick Response | Choose true if you want a faster response containing only the classification and trust level. | Boolean | Optional | Default value: false |
Example Request
[
{
"ips": [
"1.2.3.4",
"8.8.8.8"
],
"quick": true
}
]Action: Perform GNQL Query
This action retrieves ip data matching a specific GreyNoise Query Language (GNQL) string.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query String | Enter a valid GNQL query string to retrieve matching IP intelligence. Example: classification:malicious and last_seen:1m | Text | Required | |
Page Size | Enter the maximum number of results to retrieve on each page. | Integer | Optional | Allowed range: 1 to 10000 Default value: 10000 |
Quick Response | Choose true to retrieve only the IP address and its classification or trust level for faster responses. | Boolean | Optional | Default value: false |
Response Format | Enter the format in which the results should be returned. | Text | Optional | Allowed values: json or csv Default value: json |
Scroll Token | Enter the scroll token received from a previous query response to retrieve subsequent pages of results. This is incompatible with the csv format. | Text | Optional |
Example Request
[
{
"size": "20",
"query": "classification:malicious confidence:high last_seen:24h -actor:*",
"quick": true,
"data_format": "csv"
}
]Action: Recall GNQL V3 Records
This action retrieves hourly GNQL records for a specific time range.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the GNQL query string to perform a search over historical time series data. | Text | Required | |
Start Time | Enter the start time in ISO-8601 format to define the beginning of the search period. Example: 2023-01-01t00:00:00z | Text | Optional | |
End Time | Enter the end time in ISO-8601 format to define the end of the search period. Example: 2023-01-02t00:00:00z | Text | Optional | |
Format | Enter the desired format of the results. | Text | Optional | Allowed values: json and csv Default value: json |
Limit | Enter the maximum number of hourly records to return for the query. Example: 100 | Integer | Optional | |
Offset | Enter the starting position to apply the limit for paginating through results. Example: 200 | Integer | Optional |
Example Request
[
{
"limit": "100",
"query": "classification:malicious AND last_seen:1m",
"offset": "10"
}
]Action: Recall GNQL V3 Stats
This action retrieves the number of unique IPs that match a GNQL query for each hour or day in a specified time range.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the GQNL query string to aggregate statistics for. | Text | Required | |
Interval | Enter the time interval to group unique IP counts. | Text | Required | Allowed values: hour and day |
Start Time | Enter the start time in ISO-8601 format to define the beginning of the aggregation period. Example: 2023-01-01t00:00:00z | Text | Optional | |
End Time | Enter the end time in ISO-8601 format to define the end of the aggregation period. Only records on or before this time are included. Example: 2023-01-02t00:00:00z | Text | Optional | |
Format | Enter the desired format of the results. | Text | Optional | Allowed values: json and csv Default value: json |
Example Request
[
{
"query": "classification:malicious AND last_seen:1m",
"interval": "day",
"data_format": "json"
}
]Action: Generic Action
This is a generic action used to make requests to any GreyNoise Intelligence endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Method | Enter the HTTP method to make the request. | Text | Required | Allowed values: GET, PUT, POST, DELETE |
Endpoint | Enter the endpoint to make the request to. Example: v3/community/{ip} | Text | Required | |
Query Params | Enter the query parameters to pass to the API. | Key Value | Optional | |
Payload | Enter the payload to pass to the API. | Any | Optional | |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional | Allowed keys: headers, payload_data, custom_output, download, filename, files, retry_wait, retry_count, and response_type |
Example Request
[
{
"method": "GET",
"endpoint": "v3/community/8.8.8.8",
"extra_fields": {},
"query_params": {}
}
]Changelog
The following table shows the changelog for each app version:
Version | Changes |
|---|---|
v2.0.0 |
|