in elkserver/docker/redelk-base/redelkinstalldata/scripts/modules/enrich_greynoise/module.py [0:0]
def get_greynoise_data(self, ip_address):
"""Get the data from greynoise for the IP"""
# Malicious sample
# {
# "ip": "222.187.238.136",
# "noise": true,
# "riot": false,
# "classification": "malicious",
# "name": "unknown",
# "link": "https://viz.greynoise.io/ip/222.187.238.136",
# "last_seen": "2021-06-23",
# "message": "Success"
# }
#
# Benign sample
# {
# "ip": "8.8.8.8",
# "noise": false,
# "riot": true,
# "classification": "benign",
# "name": "Google Public DNS",
# "link": "https://viz.greynoise.io/riot/8.8.8.8",
# "last_seen": "2021-06-23",
# "message": "Success"
# }
#
# Unknown sample
# {
# "ip": "123.123.115.117",
# "noise": false,
# "riot": false,
# "message": "IP not observed scanning the internet or contained in RIOT data set."
# }
try:
gn_headers = {
"key": self.api_key,
"User-Agent": "greynoise-redelk-enrichment",
}
gn_data = requests.get(
f"{self.greynoise_url}{ip_address}", headers=gn_headers
)
json_result = gn_data.json()
result = {
"ip": ip_address,
"noise": get_value("noise", json_result, False),
"riot": get_value("riot", json_result, False),
"classification": get_value("classification", json_result, "unknown"),
"name": get_value("name", json_result, "unknown"),
"link": get_value("link", json_result, "unknown"),
"last_seen": get_value("last_seen", json_result, None),
"message": get_value("message", json_result, "unknown"),
"query_timestamp": int(time()),
}
return result
# pylint: disable=broad-except
except Exception as error:
self.logger.error("Error getting greynoise IP %s", ip_address)
self.logger.exception(error)
return False