Every organization connected to the internet faces the same background noise: automated exploitation attempts, vulnerability scanning, and credential abuse hitting the perimeter around the clock. The hard part isn't seeing the traffic, it's answering three questions fast enough to matter. What's hitting us? What's getting through? And what's already talking to adversary infrastructure?
GreyNoise continuously observes scan and attack activity across the internet, classifies the source IPs by behavior, and delivers that intelligence into your SIEM. The point isn't more data. It's separating the opportunistic noise, the stuff hitting everyone, from activity that might actually be aimed at you. Here are four ways SOC teams are putting that distinction to work.
1. Reduce alert volume and surface potentially targeted threats
The problem
Detections on perimeter scans and attacks are noisy by nature. Most alerts off edge devices aren't real threats, so they get ignored or suppressed. The alerts worth investigating are in there but they're just buried under scanning noise that hides anything resembling a targeted threat.
The detection
Filter your firewall and WAF logs down to inbound internet traffic, then match source IPs against GreyNoise and exclude the known mass scanners. Prioritize what's left by source-IP volume. Stripping out opportunistic scanning means analysts triage far fewer events, and the detection logic that remains has room to surface traffic more likely to represent targeted reconnaissance or attack activity.
The signal
Fewer alerts, better signal-to-noise. Every remaining alert comes from an IP GreyNoise has never observed scanning the internet, which is a much stronger indicator of potential targeted reconnaissance.
2. Detect allowed inbound traffic from known-malicious hosts
The problem
Perimeter gaps go unnoticed because nothing validates whether traffic that was allowed through should have been. Without external intelligence, traffic that passes through the firewall may not receive additional scrutiny, even when the source IP has a documented history of malicious activity.
The detection
Correlate firewall and WAF allow logs against GreyNoise intelligence. Filter to inbound allowed events, match the source IPs against GreyNoise, and surface the malicious and suspicious matches, prioritized by source-IP volume. That tells you when something you let in originated from a host observed conducting mass scanning or exploitation.
The signal
A list of sessions where known-malicious or suspicious IPs were permitted through your perimeter. Each match is two things at once: a session worth investigating, and a firewall or WAF rule worth re-evaluating.
3. Flag authentication attempts from compromised hosts
The problem
Authentication failures and brute-force attempts from the internet are constant for any perimeter device. The trouble is telling opportunistic account access apart from attempts aimed specifically at your organization. Hosts running mass scans or operating as part of botnet or proxy infrastructure authenticate to VPNs and identity providers all the time, and standard detection logic doesn't flag it.
The detection
Correlate VPN and identity-provider authentication logs with GreyNoise. Filter to authentication events, match source IPs against GreyNoise, include the not-spoofable matches, and prioritize by source-IP volume. That surfaces auth attempts coming from hosts already observed scanning the internet, early enough to intervene on both successful and failed attempts.
The signal
A successful auth from a GreyNoise-flagged IP is an immediate, high-priority alert. Failed attempts from flagged IPs are worth a look too, as they can indicate active targeting of your identity infrastructure rather than random background noise.
4. Detect outbound connections to threat infrastructure
The problem
Outbound connection volume is so high that alerting on or investigating anomalous connections individually is impractical, so connections from internal infrastructure to known-malicious systems slip by. Most threat intel feeds don't help here either because they lack the real-time behavioral data needed to tell which outbound connections actually warrant a look.
The detection
Internal hosts reaching out to malicious infrastructure is a clear sign of compromise. Take outbound network and EDR logs, filter to public connections that egress allowed, match destination IPs against GreyNoise, and surface the malicious matches, prioritized by internal source-IP volume. When an internal host lights up here, the correlation points at a possible indicator of compromise - C2 beaconing, data exfiltration, or botnet participation.
The signal
Any successful outbound connection to GreyNoise-classified malicious infrastructure warrants immediate investigation of the internal host for indicators of compromise.
The operational payoff
Stacked together, these four detections move the needle on the things that security teams actually care about:
- Reduce alert volume by removing opportunistic scanning from SIEM telemetry.
- Improve signal-to-noise by prioritizing events more likely to represent targeted threats.
- Surface perimeter gaps by identifying malicious infrastructure that made it through your defenses.
- Detect compromise earlier by flagging suspicious authentication and outbound activity sooner.
None of this replaces the tooling you already run. GreyNoise is the context layer that makes your firewall, WAF, identity provider, EDR, and SIEM better at separating the internet's constant background noise from the activity worth your analysts' time.
Want to start deploying these detections? Talk to our team >
