{ "name": "ti_greynoise", "title": "GreyNoise", "version": "0.8.1", "release": "beta", "description": "Collect Threat Intelligence Indicators from GreyNoise using Elastic Agent, and perform enrichment on Elasticsearch by correlating Indicators of Compromise (IOCs).", "type": "integration", "download": "/epr/ti_greynoise/ti_greynoise-0.8.1.zip", "path": "/package/ti_greynoise/0.8.1", "icons": [ { "src": "/img/greynoise_logo.jpeg", "path": "/package/ti_greynoise/0.8.1/img/greynoise_logo.jpeg", "title": "GreyNoise Logo", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.17.0 || ^9.0.0" }, "elastic": { "subscription": "basic", "capabilities": [ "security" ] } }, "owner": { "type": "community", "github": "elastic/security-service-integrations" }, "categories": [ "threat_intel", "security" ], "signature_path": "/epr/ti_greynoise/ti_greynoise-0.8.1.zip.sig", "format_version": "3.3.2", "readme": "/package/ti_greynoise/0.8.1/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/greynoise_threat_feed_overview_dashboard.png", "path": "/package/ti_greynoise/0.8.1/img/greynoise_threat_feed_overview_dashboard.png", "title": "Threat Feed Overview Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/greynoise_threat_intelligence_dashboard.png", "path": "/package/ti_greynoise/0.8.1/img/greynoise_threat_intelligence_dashboard.png", "title": "Threat Intelligence Dashboard", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/ti_greynoise/0.8.1/LICENSE.txt", "/package/ti_greynoise/0.8.1/changelog.yml", "/package/ti_greynoise/0.8.1/manifest.yml", "/package/ti_greynoise/0.8.1/validation.yml", "/package/ti_greynoise/0.8.1/docs/README.md", "/package/ti_greynoise/0.8.1/img/greynoise_logo.jpeg", "/package/ti_greynoise/0.8.1/img/greynoise_threat_feed_overview_dashboard.png", "/package/ti_greynoise/0.8.1/img/greynoise_threat_intelligence_dashboard.png", "/package/ti_greynoise/0.8.1/kibana/tags.yml", "/package/ti_greynoise/0.8.1/data_stream/ip/manifest.yml", "/package/ti_greynoise/0.8.1/data_stream/ip/sample_event.json", "/package/ti_greynoise/0.8.1/elasticsearch/ingest_pipeline/ti_greynoise-correlation_detection_rule-pipeline.yml", "/package/ti_greynoise/0.8.1/kibana/dashboard/ti_greynoise-24d2c409-0abf-415a-aa3d-a6d007c42ba3.json", "/package/ti_greynoise/0.8.1/kibana/dashboard/ti_greynoise-90679482-db68-4980-b69c-5f562f964d55.json", "/package/ti_greynoise/0.8.1/kibana/search/ti_greynoise-9206bebd-d796-44cc-9470-ac16a1b62ca2.json", "/package/ti_greynoise/0.8.1/kibana/search/ti_greynoise-cbe163eb-0cbf-45b7-b449-ffc02ae3bcff.json", "/package/ti_greynoise/0.8.1/data_stream/ip/fields/base-fields.yml", "/package/ti_greynoise/0.8.1/data_stream/ip/fields/beats.yml", "/package/ti_greynoise/0.8.1/data_stream/ip/fields/fields.yml", "/package/ti_greynoise/0.8.1/data_stream/ip/fields/is-transform-source-true.yml", "/package/ti_greynoise/0.8.1/elasticsearch/transform/ip/manifest.yml", "/package/ti_greynoise/0.8.1/elasticsearch/transform/ip/transform.yml", "/package/ti_greynoise/0.8.1/elasticsearch/transform/rule/manifest.yml", "/package/ti_greynoise/0.8.1/elasticsearch/transform/rule/transform.yml", "/package/ti_greynoise/0.8.1/data_stream/ip/agent/stream/cel.yml.hbs", "/package/ti_greynoise/0.8.1/data_stream/ip/elasticsearch/ingest_pipeline/default.yml", "/package/ti_greynoise/0.8.1/elasticsearch/transform/ip/fields/base-fields.yml", "/package/ti_greynoise/0.8.1/elasticsearch/transform/ip/fields/beats.yml", "/package/ti_greynoise/0.8.1/elasticsearch/transform/ip/fields/ecs.yml", "/package/ti_greynoise/0.8.1/elasticsearch/transform/ip/fields/fields.yml", "/package/ti_greynoise/0.8.1/elasticsearch/transform/ip/fields/is-transform-source-false.yml", "/package/ti_greynoise/0.8.1/elasticsearch/transform/rule/fields/base-fields.yml", "/package/ti_greynoise/0.8.1/elasticsearch/transform/rule/fields/beats.yml", "/package/ti_greynoise/0.8.1/elasticsearch/transform/rule/fields/ecs.yml", "/package/ti_greynoise/0.8.1/elasticsearch/transform/rule/fields/fields.yml" ], "policy_templates": [ { "name": "ti_greynoise", "title": "GreyNoise events", "description": "Collect GreyNoise events.", "inputs": [ { "type": "cel", "vars": [ { "name": "url", "type": "url", "title": "URL", "description": "GreyNoise URL will work as the base URL for this integration. By default, the URL is set to `https://api.greynoise.io`.", "multi": false, "required": true, "show_user": false, "default": "https://api.greynoise.io" }, { "name": "api_key", "type": "password", "title": "API Key", "description": "API Key used to authenticate the requests.", "multi": false, "required": true, "show_user": true }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "i.e. certificate_authorities, supported_protocols, verification_mode etc.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect GreyNoise events via API", "description": "Collecting GreyNoise events via API." } ], "multiple": true, "deployment_modes": { "default": { "enabled": true }, "agentless": { "enabled": true } } } ], "data_streams": [ { "type": "logs", "dataset": "ti_greynoise.ip", "title": "IP Indicators", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between consecutive requests to the GreyNoise API. It must be set to a value greater than 1 hour due to API limitations, with supported units being h.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "page_size", "type": "integer", "title": "Page Size", "description": "The number of results provided per page for paginating through all results of a query. The maximum supported page size is 5000.", "multi": false, "required": true, "show_user": false, "default": 5000 }, { "name": "query", "type": "text", "title": "Query", "description": "Query to filter the results. Please note that the \"last_seen\" field should not be included in the query, as it is predefined with a fixed value of \"1d\".", "multi": false, "required": false, "show_user": true, "default": "classification:malicious" }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "5m" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "greynoise-ip" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "IP Indicators", "description": "Collecting IP Indicators via API. Requires Enterprise subscription.", "enabled": true, "ingestion_method": "API" } ], "package": "ti_greynoise", "path": "ip" } ] }