Using the GreyNoise Visualizer

This Guide explains how to use the different features and components of the GreyNoise Visualizer.

Logging into the GreyNoise Visualizer

  1. Start at https://viz.greynoise.io
  2. Click on the "Login" option in the upper right corner navigation area and complete the login process
2142

Searching for an IP

  1. Using the search bar in the middle of the Visualizer, enter an IP or CIDR block (ex. 69.70.237.0/24) to lookup
2142

Searching for an IP or CIDR block from the Visualizer search bar

  1. From the search results, click on the View IP Details link to see the details of the IP

πŸ“˜

If the IP is not found, no search results will be displayed

πŸ“˜

If the IP is part of the RIOT (common business services) dataset and the Visualizer will direct you to the RIOT page for the provided IP

Reviewing the details of an IP (Noise)

The Noise IP details page is broken down into the following sections:

  • Metadata
  • Tags
  • Ports
  • Paths
  • Fingerprints
  • JA3s

The IP itself will display as RED if classified as Malicious, GREEN if classified as Benign, or GRAY if classified as Unknown. The organization and actor are also called out under the IP if known.

Additional data points may be displayed above the IP to provide additional information for analysis:

  • Spoofable: The IP has failed to complete a full TCP connection
  • VPN: The IP is associated with a VPN service (VPN Information is provided by Spur). The Service Name is also provided

The metadata section includes:

  • First Seen: The first date GreyNoise observed this IP scanning
  • Last Seen: The last date GreyNoise observed this IP scanning
  • OS: The operating system the IP scanner is running
  • ASN: The ASN the IP belongs to
  • Location Data: Region, Country and City are provided, when known
  • rDNS: The Reverse DNS entry for the IP, if known

When available, the bottom-left section of the page displays captured Port, Path, User-Agent, JA3s and Fingerprints observed with this IP

Tags are used to help classify an IP and also to provide additional context data to an analyst. A list of tags is displayed under the metadata section, but details on the tags are also displayed along the bottom right sidebar of the page. Tags are colored RED when the intention is believed to be malicious, GREEN when the intention is believed to be benign, and GRAY when the intention is unknown. A full list of tags can be seen via the Cheat Sheet page: https://viz.greynoise.io/cheat-sheet/tags

CVEs, which are associated with certain tags, are also displayed on the bottom right sidebar of the page, directly above the tag details list.

πŸ“˜

A benign IP address may have tags that are indicated as malicious intent. These are benign based on the Actor being a known good actor.

Reviewing the Details of an IP (RIOT)

The IP details page for an IP found in the RIOT Project display the following:

  • Service Name/Provider
  • Service Category
  • The last time this IP was updated in the RIOT Project

IPs that are part of the RIOT project can be considered harmless with high confidence as they belong to known benign services or organizations.

Performing a GreyNoise Query (GNQL)

Using the Visualizer search bar, enter a GreyNoise Query using the GNQL (GreyNoise Query Language) syntax.

Here are some common examples:
classification:malicious last_seen:1d
metadata.organization:"Acme Inc"
metadata.asn:AS35313
tags:"ADB Attempt"

The search results page provides:

  • Total Number of results for matching query
  • The left sidebar provides breakdowns by Country, Classification and other context
  • A list of IP results sorted by last seen date

Each IP can be drilled into by clicking the View IP Details link on any IP card in the right-side result panel.

Customers with an active subscription are also able to Export the search results using the Export button at the top of the results list. Available Export options are: JSON and CSV

Additional Example queries can be found on the Cheat Sheet tab: https://viz.greynoise.io/cheat-sheet/ and query components can be found on the Queries sub-tab: https://viz.greynoise.io/cheat-sheet/queries

Viewing the Latest GreyNoise Trends

Start by Navigating to the Trends Page of the Visualizer: https://viz.greynoise.io/trends

The Trend page provides a snapshot of what GreyNoise has observed over the last 24 hours.

At the top level, it provides the classification breakdown of all IPs observed in the last 24 hours.

The bottom left pane allows the top Organizations, Tags, Countries, or OSes to be displayed for All or a subset of IPs observed in the last 24 hours.

The bottom right pane calculates the latest port anomalies for the past several days to highlight increase traffic observed over specific ports, compared to the monthly average observed for that port.

Analyzing a File or List of IPs

Start by Navigation to the Analysis page: https://viz.greynoise.io/analysis/

The Analysis page can be used to analyze a file or list of IPs and provide the stats of the input.

To begin the analysis, enter a list of IPs or blog of text, or select a file such as an auth.log file and press the analyze button.

Similar to the search results page, the analysis results page provides a breakdown of all IPv4 addresses that were parsable from the input.

The top left sidebar provides a breakdown of the total number of lines and unique IPs, then shows the total number of IPs that were Noise (part of GreyNoise) or Not Noise (not seen by GreyNoise).

The bottom left sidebar provides the breakdown of classification, countries, tags, and OSes for Noise IPs.

The right panel provides the full list of Noise IPs that GreyNoise knows about with visible Organization, Classification, and Last Seen information.

Customers with an active subscription are also able to export the analysis results using the Export button at the top of the results list. Available Export options are: JSON and CSV

Setting up an Alert

GreyNoise alerts are used to alert via email when an IP matching the provided alert configuration (either by CIDR or GNQL search) is observed scanning the internet.

For example, if a corporation owns CIDR block 54.24.0.0/16, GreyNoise alerts can notify an admin if any IP within that CIDR block suddenly begins scanning the internet.

Start by navigation to the Alert section of the Account Profile by either hovering over the Account option and selecting Alert or going to: https://viz.greynoise.io/account/alerts

To create a new alert, click on the Create Alert tab:

On the alert configuration dialog, enter:

  • an IP
  • a CIDR block in 52.24.0.0/16 notation
  • a GNQL
  • the email(s) of who to notify
  • a specific name for this alert to help identify it

To update or disable an alert:

Click on the alert expand and view the details.

If the alert should be deleted, click on the Remove button. This removes the entry from the account.
If the alert should just be disabled, click on the Disabled button. This only disables the alert and it can be re-enabled later.
If the alert needs to be edited, click on the Edit, make the necessary changes and click the Save button.

πŸ“˜

Alerts are currently only sent once per day at 12:00 UTC. Additional intervals will be available soon.