Our friends over at Elastic published a great piece on how to set up Distributed Alerting with Elastic Stack - and gave a shout out to us! As big proponents of SOC efficiency and sleep-filled nights for Incident Response teams, using GreyNoise data in your process with Elastic Stack and Tines can (1) prevent false positive alerts from ever reaching your SOC teams and (2) help provide additional context when you do receive an alert.
Our sensors are placed around the world to passively capture network traffic and give you details on what IPs are scanning the internet on a daily basis. We then tag the behavior we’re seeing with additional details and deliver that context to our users to help you understand what traffic is benign and what traffic is attempting to exploit everyone (or just you).
Beyond our Noise dataset as described above, we also provide data on common Internet services (Google DNS, Apple, CDNs, etc.), known as RIOT.
By adding GreyNoise data (Noise and/or RIOT) into your Distributed Alerting workflow, we can help enrich logs with full context data on IPs seen by our sensors. As our friends at Tines highlighted, “Simply put, if an IP is classified in RIOT and has a trustworthy confidence level, the impact of the alert is very likely to be minimal, and it can be set as a low priority or closed immediately. Suppose the IP has a somewhat trustworthy confidence level. In that case, the priority could be raised, and/or additional risk factors could be added in to arrive at a confident automated determination of the status of the alert before any analyst review.”
GreyNoise has both Elastic and Tines integrations available to our paid users, which we’re happy to demonstrate further. Whether you’re trying to tune your alerting system or digging deeper in an investigation, we hope you check out our data further.
Start an enterprise Trial today.*
(*Create a free GreyNoise account to begin your enterprise trial. Activation button is on your Account Plan Details page.)