Improve Analyst Efficiency

Use Case: Improve Analyst Efficiency

GreyNoise’s internet background noise and RIOT (common business services) datasets help analysts minimize resources wasted on investigations into irrelevant events. This data can be integrated with a SIEM to quickly enrich events, a SOAR to automate workflows and incident response, or a TIP as an investigation resource. Events associated with IPs in GreyNoise noise dataset can be deprioritized as they are likely associated with opportunistic internet scan and attack traffic, not targeted reconnaissance. IPs in the RIOT dataset are associated with common benign services such as business applications, update services, or public DNS and are very unlikely to pose a threat.

Scenario 1: SIEM Integration

GreyNoise is integrated into a SIEM application and external IPv4 addresses are automatically looked up to determine if GreyNoise has observed noise from the IP. This information is appended to the log so it can be presented to other tools and analysts.

1225

Enrich events in Splunk to limit events from creating unnecessary alerts

Scenario 2: SOAR Integration

GreyNoise is integrated into a SOAR application. All incidents from the perimeter are queried against GreyNoise and, based on defined rules, incident severity is adjusted.

910

Enrich alerts in XSOAR to modify the severity based on GreyNoise insights.

Scenario 3: TIP Integration

GreyNoise is integrated into a TIP application. All incidents from the perimeter are queried against GreyNoise and, based on defined rules, incident severity is adjusted.

1187

Enrich observables in ThreatStream to help analysts to know which to deprioritize.