Sends GreyNoise query results to a Discord channel on a scheduled basis.
You are going to need the following items:
GREYNOISE_API_KEY: an API key from your GreyNoise account.DISCORD_WEBHOOK_URL: a Discord Webhook endpoint that is specific to the Discord server and channel.
GreyNoise API keys are available at Community and Enterprise levels, however, using the GNQL endpoint requires an Enterprise subscription or Enterprise Trial. Go to your account details to get your key.
Read here on how to generate a Discord webhook url.
Once you have forked this project to your own repository, you can start setting the environment variables, and the GitHub Actions. You must then save both the GreyNoise API key and Discord URL to your new project repository as Repository Secrets for GitHub Actions. Read here for the instructions on adding them to your repository: Creating encrypted secrets for GitHub Actions.
To add a new query, simply past a GNQL query into a file with a useful name, e.g. maliciousNonBot.gnql or firstSeen_1d.gnql.
You must use the syntax of GitHub actions to schedule new alerts.
- Go to
.github/workflows/alert_scheduler.ymlin the GitHub hidden directory. - Paste a new step to run with a proper
ifcondition and correctgnqlfile to point to. - commit changes and push to the directory.
New automated jobs have a syntax like this:
- name: lastseen1d_15m
working-directory: ./
if: github.event.schedule == '15 * * * *'
env:
GREYNOISE_API_KEY: ${{ secrets.GREYNOISE_API_KEY }}
DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }}
run: |
cd $GITHUB_WORKSPACE
python3 run-greynoise-query.py gnql/lastseen1d.gnqlThe if statement refers to which of the above cron schedules in the on section to watch for. If there isn't a schedule timing you like, just append a new one and match it to the if statement.