GreyNoise

Table of Contents


Release Notes

Version

Date

Notes

1.1.0

03/2025

Added 1 new function for the community version, Removed the existing workflow example,

                Added 2 new playbooks - Greynoise IP Query (Example) and Greynoise IP Query Community (Example) |

| 1.0.2 | 12/2020 | Added App Host support | | 1.0.1 | 02/2020 | Added ‘resilient-lib’ to dependencies | | 1.0.0 | 12/2019 | Initial Release |


Overview

SOAR Integration for ‘Greynoise’

screenshot: main

Perform IP analysis using GreyNoise to categorize IP addresses and it’s threat on your organization.

screenshot: main


Requirements

This app supports the IBM Security QRadar SOAR Platform and the IBM Security QRadar SOAR for IBM Cloud Pak for Security.

SOAR platform

The SOAR platform supports two app deployment mechanisms, Edge Gateway (also known as App Host) and integration server.

If deploying to a SOAR platform with an App Host, the requirements are:

  • SOAR platform >= 51.0.0.0.9339.

  • The app is in a container-based format (available from the AppExchange as a zip file).

If deploying to a SOAR platform with an integration server, the requirements are:

  • SOAR platform >= 51.0.0.0.9339.

  • The app is in the older integration format (available from the AppExchange as a zip file which contains a tar.gz file).

  • Integration server is running resilient_circuits>=51.0.0.

  • If using an API key account, make sure the account provides the following minimum permissions:

    Name

    Permissions

    Org Data

    Read

    Function

    Read

The following SOAR platform guides provide additional information:

  • Edge Gateway Deployment Guide or App Host Deployment Guide: provides installation, configuration, and troubleshooting information, including proxy server settings.

  • Integration Server Guide: provides installation, configuration, and troubleshooting information, including proxy server settings.

  • System Administrator Guide: provides the procedure to install, configure and deploy apps.

The above guides are available on the IBM Documentation website at ibm.biz/soar-docs. On this web page, select your SOAR platform version. On the follow-on page, you can find the Edge Gateway Deployment Guide, App Host Deployment Guide, or Integration Server Guide by expanding Apps in the Table of Contents pane. The System Administrator Guide is available by expanding System Administrator.

Cloud Pak for Security

If you are deploying to IBM Cloud Pak for Security, the requirements are:

  • IBM Cloud Pak for Security >= 1.10.15.

  • Cloud Pak is configured with an Edge Gateway.

  • The app is in a container-based format (available from the AppExchange as a zip file).

The following Cloud Pak guides provide additional information:

  • Edge Gateway Deployment Guide or App Host Deployment Guide: provides installation, configuration, and troubleshooting information, including proxy server settings. From the Table of Contents, select Case Management and Orchestration & Automation > Orchestration and Automation Apps.

  • System Administrator Guide: provides information to install, configure, and deploy apps. From the IBM Cloud Pak for Security IBM Documentation table of contents, select Case Management and Orchestration & Automation > System administrator.

These guides are available on the IBM Documentation website at ibm.biz/cp4s-docs. From this web page, select your IBM Cloud Pak for Security version. From the version-specific IBM Documentation page, select Case Management and Orchestration & Automation.


Python Environment

Python 3.9, 3.11, and 3.12 are officially supported. When deployed as an app, the app runs on Python 3.11. Additional package dependencies may exist for each of these packages:

  • resilient_circuits>=51.0.0

  • resilient_lib


Installation

Install

  • To install or uninstall an App or Integration on the SOAR platform, see the documentation at ibm.biz/soar-docs.

  • To install or uninstall an App on IBM Cloud Pak for Security, see the documentation at ibm.biz/cp4s-docs and follow the instructions above to navigate to Orchestration and Automation.

App Configuration

The following table provides the settings you need to configure the app. These settings are made in the app.config file. See the documentation discussed in the Requirements section for the procedure.

Config

Required

Example

Description

url

yes

https://api.greynoise.io

URL to GreyNoise. Note, this is different for v1.1.0.

api_key

yes

xxxxxxxxxxxxxxx

Sign up at https://viz.greynoise.io/signup


Function - GreyNoise IP Query

Perform IP Address analysis. This is the Enterprise addition API call available in for a paid license.

Inputs:

Name

Type

Required

Example

Tooltip

greynoise_type

select

Yes

-

-

greynoise_value

text

No

-

-

Outputs:

NOTE: This example might be in JSON format, but results is a Python Dictionary on the SOAR platform.

results = {
    # TODO: Generate an example of the Function Output within this code block.
    # To get the output of a Function:
    #   1. Run resilient-circuits in DEBUG mode: $ resilient-circuits run --loglevel=DEBUG
    #   2. Invoke the Function in SOAR
    #   3. Gather the results using: $ resilient-sdk codegen -p fn_greynoise --gather-results
    #   4. Run docgen again: $ resilient-sdk docgen -p fn_greynoise
    # Or simply paste example outputs manually here. Be sure to remove any personal information
}

Example Function Input Script:

inputs.greynoise_type = "context"
inputs.greynoise_value = artifact.value

Example Function Post Process Script:

results = playbook.functions.results.results
if results.success:
  msg = [f"Greynoise successful for IP: {artifact.value}"]
  for k,v in results.content.items():
    msg.append(f"<br><b>{k}</b>: {v}")
  incident.addNote(helper.createRichText("".join(msg)))
else:
  incident.addNote(f'Greynoise ip query failed:{results.reason}. Artifact value:{artifact.value}')


Function - GreyNoise IP Query Community

Perform IP Address analysis. This is the community addition API call available in the free tier.

Inputs:

Name

Type

Required

Example

Tooltip

greynoise_type

select

Yes

-

-

greynoise_value

text

No

-

-

Outputs:

NOTE: This example might be in JSON format, but results is a Python Dictionary on the SOAR platform.

results = {
  "content": {
    "classification": "malicious",
    "ip": "210.68.105.68",
    "last_seen": "2025-03-04",
    "link": "https://viz.greynoise.io/ip/210.68.105.68",
    "message": "Success",
    "name": "unknown",
    "noise": true,
    "riot": false
  },
  "inputs": {
    "greynoise_type": "community",
    "greynoise_value": "210.68.105.68"
  },
  "metrics": {
    "execution_time_ms": 180,
    "host": "localhost",
    "package": "fn-greynoise",
    "package_version": "1.1.0",
    "timestamp": "2025-03-20 14:32:23",
    "version": "1.0"
  },
  "raw": "",
  "reason": null,
  "success": true,
  "version": "1.0"
}

Example Function Input Script:

inputs.greynoise_type = "community"
inputs.greynoise_value = artifact.value

Example Function Post Process Script:

results = playbook.functions.results.results_greynoise
if results.success:
  msg = [f"Greynoise successful for IP: {artifact.value}"]
  for k,v in results.content.items():
    msg.append(f"<br><b>{k}</b>: {v}")
  incident.addNote(helper.createRichText("".join(msg)))
else:
  incident.addNote(f'Greynoise ip community query failed:{results.reason}. Artifact value:{artifact.value}')


Playbooks

Playbook Name

Description

Activation Type

Object

Status

Condition

Greynoise IP Query (Example)

This is for enterprise version

Manual

artifact

enabled

artifact.type equals IP Address

Greynoise IP Query Community (Example)

This is an example for the community api

Manual

artifact

enabled

artifact.type equals IP Address


Troubleshooting & Support

Refer to the documentation listed in the Requirements section for troubleshooting information.

For Support

This is a IBM Community provided app. Please search the Community ibm.biz/soarcommunity for assistance.