add similar_lookup

GreyNoise-Intelligence · Oct 23, 2024 · 455601f · 455601f
1 parent c80e0de
commit 455601f
Show file tree

Hide file tree

Showing 11 changed files with 565 additions and 32 deletions.
diff --git a/plugins/greynoise/.CHECKSUM b/plugins/greynoise/.CHECKSUM
@@ -1,6 +1,6 @@
 {
-	"spec": "bddf87252c17e4f91635257804b14276",
-	"manifest": "c15acc1010cdfffa3221e9a51064cd30",
+	"spec": "db55801f0a20e43b2113de1184ff3cd4",
+	"manifest": "4264325d8b444f91b006285f2b0f8c68",
 	"setup": "7d0148b4efc7745f17003a77e9e73c55",
 	"schemas": [
 		{
@@ -13,7 +13,7 @@
 		},
 		{
 			"identifier": "get_tag_details/schema.py",
-			"hash": "66fd60aed88d9b9a3fd1ef8b3f74a6f7"
+			"hash": "805cc2db6612fc9b0ee438bbb58b231c"
 		},
 		{
 			"identifier": "gnql_query/schema.py",
@@ -27,9 +27,17 @@
 			"identifier": "riot_lookup/schema.py",
 			"hash": "0ee1bf7d6db7ee88dfd7f105bfb50ea6"
 		},
+		{
+			"identifier": "similar_lookup/schema.py",
+			"hash": "f8c96c19c59fd30ef806bf36c47bad7b"
+		},
+		{
+			"identifier": "timeline_lookup/schema.py",
+			"hash": "71963f3bf33ac17d5a46c2b017f8e9a8"
+		},
 		{
 			"identifier": "vulnerability_lookup/schema.py",
-			"hash": "7e81bb2eeded003ea9e66b43148fb430"
+			"hash": "d2e8b45236448f806ce8aa4eadeec367"
 		},
 		{
 			"identifier": "connection/schema.py",

diff --git a/plugins/greynoise/bin/icon_greynoise b/plugins/greynoise/bin/icon_greynoise
@@ -35,20 +35,23 @@ def main():
                 connection=connection.Connection()
             )
             self.add_action(actions.ContextLookup())
-
+        
             self.add_action(actions.RiotLookup())
-
+        
             self.add_action(actions.QuickLookup())
-
+        
             self.add_action(actions.GetTagDetails())
-
+        
             self.add_action(actions.GnqlQuery())
-
+        
             self.add_action(actions.CommunityLookup())
-
+        
             self.add_action(actions.VulnerabilityLookup())
-
+        
             self.add_action(actions.TimelineLookup())
+
+            self.add_action(actions.SimilarLookup())
+
 
     """Run plugin"""
     cli = insightconnect_plugin_runtime.CLI(ICONGreynoise())

diff --git a/plugins/greynoise/help.md b/plugins/greynoise/help.md
@@ -215,17 +215,17 @@ Example input:
 |Name|Type|Required|Description|Example|
 | :--- | :--- | :--- | :--- | :--- |
 |category|string|False|Tag Category|activity|
-|created_at|string|False|The date the tag was added to GreyNoise tag library.|2024-01-01|
+|created_at|string|False|The date the tag was added to GreyNoise tag library|2024-01-01|
 |cves|[]string|False|CVEs associate with Tag|CVE-2020-1234,CVE-1241-23521|
 |description|string|False|Description of the Tag|This is a tag description|
-|id|string|False|The unique ID for the tag.|aa-bb-cc-dd|
+|id|string|False|The unique ID for the tag|aa-bb-cc-dd|
 |intention|string|False|Tag Intention|malicious|
-|label|string|False|The unique label for the tag.|BINGBOT_SCANNER|
+|label|string|False|The unique label for the tag|BINGBOT_SCANNER|
 |name|string|False|Name of GreyNoise Tag|BingBot|
 |recommend_block|boolean|False|GreyNoise Recommends Blocking IPs associated with this Tag|False|
 |references|[]string|False|References|https://thisisareference.url|
-|related_tags|[]string|False|Tags that are related to this tag.|BingBot Scanner|
-|slug|string|False|The unique slug for the tag.|bingbot-scanner|
+|related_tags|[]string|False|Tags that are related to this tag|BingBot Scanner|
+|slug|string|False|The unique slug for the tag|bingbot-scanner|
 
 Example output:
 
@@ -378,6 +378,70 @@ Example output:
 }
 ```
 
+#### IP Similarity Lookup
+
+This action is used to query a routable IPv4 address in the GreyNoise for similar IPs
+
+##### Input
+
+|Name|Type|Default|Required|Description|Enum|Example|Placeholder|Tooltip|
+| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
+|ip_address|string|None|True|Routable IPv4 address to query|None|1.2.3.4|None|None|
+
+Example input:
+
+```
+{
+  "ip_address": "1.2.3.4"
+}
+```
+
+##### Output
+
+|Name|Type|Required|Description|Example|
+| :--- | :--- | :--- | :--- | :--- |
+|ip|ip_sim|False|IP Similarity Metadata|None|
+|similar_ips|[]similar_ip|False|Similar IPs|None|
+|total|integer|False|Total Number of Similar IPs returned|None|
+
+Example output:
+
+```
+{
+  "ip": {
+    "ASN": {},
+    "Actor": "",
+    "City": {},
+    "Classification": {},
+    "Country": {},
+    "Country Code": {},
+    "First Seen": {},
+    "IP Address": {},
+    "Last Seen": {},
+    "Organization": {}
+  },
+  "similar_ips": [
+    {
+      "ASN": {},
+      "Actor": "",
+      "City": {},
+      "Classification": {},
+      "Country": {},
+      "Country Code": {},
+      "Features Matched": [
+        {}
+      ],
+      "First Seen": {},
+      "IP Address": {},
+      "Last Seen": {},
+      "Organization": {},
+      "Similarity Score": 0.0
+    }
+  ],
+  "total": 0
+}
+```
+
 #### IP Timeline Lookup
 
 This action is used to query a routable IPv4 address in the GreyNoise for Scanner Daily Timeline details
@@ -466,7 +530,7 @@ Example output:
 
 #### Vulnerability Lookup
 
-This action is used to check GreyNoise for Vulnerability information.
+This action is used to check GreyNoise for Vulnerability information
 
 ##### Input
 
@@ -728,6 +792,38 @@ Example output:
 |Tag Description|string|None|False|Tag Description|None|
 |Tag Intention|string|None|False|Tag Intention|None|
 |Tag Name|string|None|False|Tag Name|None|
+
+**ip_sim**
+
+|Name|Type|Default|Required|Description|Example|
+| :--- | :--- | :--- | :--- | :--- | :--- |
+|Actor|string|None|False|Actor|None|
+|ASN|string|None|False|ASN|None|
+|City|string|None|False|City|None|
+|Classification|string|None|False|Classification|None|
+|Country|string|None|False|Country|None|
+|Country Code|string|None|False|Country Code|None|
+|First Seen|string|None|False|First Seen|None|
+|IP Address|string|None|False|IP Address|None|
+|Last Seen|string|None|False|Last Seen|None|
+|Organization|string|None|False|Organization|None|
+
+**similar_ip**
+
+|Name|Type|Default|Required|Description|Example|
+| :--- | :--- | :--- | :--- | :--- | :--- |
+|Actor|string|None|False|Actor|None|
+|ASN|string|None|False|ASN|None|
+|City|string|None|False|City|None|
+|Classification|string|None|False|Classification|None|
+|Country|string|None|False|Country|None|
+|Country Code|string|None|False|Country Code|None|
+|Features Matched|[]string|None|False|Features Matched|None|
+|First Seen|string|None|False|First Seen|None|
+|IP Address|string|None|False|IP Address|None|
+|Last Seen|string|None|False|Last Seen|None|
+|Organization|string|None|False|Organization|None|
+|Similarity Score|float|None|False|Similarity Score|None|
 
 
 ## Troubleshooting
@@ -736,7 +832,7 @@ Ensure that the GreyNoise API key used has appropriate access for the actions be
 
 # Version History
 
-* 2.0.0 - Upgrade GreyNoise SDK v2.3.0, Fix Action Outputs, Add `vulnerability_lookup` action
+* 2.0.0 - Upgrade GreyNoise SDK v2.3.0, Fix Action Outputs, Add `vulnerability_lookup` action, Add `timeline_lookup` action
 * 1.0.1 - Fix bug with connection parameters
 * 1.0.0 - Initial plugin.
 

diff --git a/plugins/greynoise/icon_greynoise/actions/__init__.py b/plugins/greynoise/icon_greynoise/actions/__init__.py
@@ -15,3 +15,6 @@
 from .vulnerability_lookup.action import VulnerabilityLookup
 
 from .timeline_lookup.action import TimelineLookup
+
+from .similar_lookup.action import SimilarLookup
+
diff --git a/plugins/greynoise/icon_greynoise/actions/get_tag_details/schema.py b/plugins/greynoise/icon_greynoise/actions/get_tag_details/schema.py
@@ -65,7 +65,7 @@ class GetTagDetailsOutput(insightconnect_plugin_runtime.Output):
     "created_at": {
       "type": "string",
       "title": "Tag Created At",
-      "description": "The date the tag was added to GreyNoise tag library.",
+      "description": "The date the tag was added to GreyNoise tag library",
       "order": 8
     },
     "cves": {
@@ -86,7 +86,7 @@ class GetTagDetailsOutput(insightconnect_plugin_runtime.Output):
     "id": {
       "type": "string",
       "title": "Tag ID",
-      "description": "The unique ID for the tag.",
+      "description": "The unique ID for the tag",
       "order": 9
     },
     "intention": {
@@ -98,7 +98,7 @@ class GetTagDetailsOutput(insightconnect_plugin_runtime.Output):
     "label": {
       "type": "string",
       "title": "Tag Label",
-      "description": "The unique label for the tag.",
+      "description": "The unique label for the tag",
       "order": 10
     },
     "name": {
@@ -125,7 +125,7 @@ class GetTagDetailsOutput(insightconnect_plugin_runtime.Output):
     "related_tags": {
       "type": "array",
       "title": "Tag Related Tags",
-      "description": "Tags that are related to this tag.",
+      "description": "Tags that are related to this tag",
       "items": {
         "type": "string"
       },
@@ -134,7 +134,7 @@ class GetTagDetailsOutput(insightconnect_plugin_runtime.Output):
     "slug": {
       "type": "string",
       "title": "Tag Slug",
-      "description": "The unique slug for the tag.",
+      "description": "The unique slug for the tag",
       "order": 11
     }
   },

diff --git a/plugins/greynoise/icon_greynoise/actions/similar_lookup/__init__.py b/plugins/greynoise/icon_greynoise/actions/similar_lookup/__init__.py
@@ -0,0 +1,2 @@
+# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT
+from .action import SimilarLookup
diff --git a/plugins/greynoise/icon_greynoise/actions/similar_lookup/action.py b/plugins/greynoise/icon_greynoise/actions/similar_lookup/action.py
@@ -0,0 +1,35 @@
+import insightconnect_plugin_runtime
+from .schema import SimilarLookupInput, SimilarLookupOutput, Input, Output, Component
+# Custom imports below
+
+
+class SimilarLookup(insightconnect_plugin_runtime.Action):
+
+    def __init__(self):
+        super(self.__class__, self).__init__(
+                name="similar_lookup",
+                description=Component.DESCRIPTION,
+                input=SimilarLookupInput(),
+                output=SimilarLookupOutput())
+
+    def run(self, params={}):
+        # START INPUT BINDING - DO NOT REMOVE - ANY INPUTS BELOW WILL UPDATE WITH YOUR PLUGIN SPEC AFTER REGENERATION
+        ip_address = params.get(Input.IP_ADDRESS)
+        # END INPUT BINDING - DO NOT REMOVE
+
+        try:
+            resp = self.connection.gn_client.similar(ip_address)
+
+        except RequestFailure as e:
+            raise PluginException(
+                cause=f"API responded with ERROR: {e.args[0]} - {e.args[1]}.",
+                assistance="Please check error and try again.",
+            )
+
+        except ValueError as e:
+            raise PluginException(
+                cause=f"Input does not appear to be valid: {ip_address}. Error Message: {e.args[0]}",
+                assistance="Please provide a valid IPv4 Address.",
+            )
+
+        return resp
Original file line number	Diff line number	Diff line change
Expand Up		@@ -15,3 +15,6 @@
		from .vulnerability_lookup.action import VulnerabilityLookup

		from .timeline_lookup.action import TimelineLookup

		from .similar_lookup.action import SimilarLookup
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT
		from .action import SimilarLookup