GreyNoise helps SOC analysts make faster alert triage decisions for security events related to their internet-facing devices by quickly identifying known benign and malicious IP addresses. With this data in hand, analysts can quickly eliminate harmless or irrelevant alerts, and escalate malicious or targeted activity.

Unique visibility into “internet noise”

Every day, hundreds of thousands of devices scan, crawl and probe every routable IP address on the internet, saturating security tools with noise and generating thousands of spurious alerts. At GreyNoise we analyze and label these IP addresses, to identify both malicious and benign scanners. Our security analyst users then use this data to quickly and effectively triage their alerts.

How it works

GreyNoise customers use our IP intelligence data in two basic ways to accelerate alert triage:

Manual IP lookup in the GreyNoise Visualizer

Many GreyNoise users work out of the GreyNoise Visualizer, which provides a fast, efficient user interface to look up IP addresses associated with an alert. GreyNoise identifies whether any given scanner IP address is malicious, benign, or has unknown intent. With this context, the SOC analyst can quickly decide whether to close out the alert, or escalate it.

Automated Alert Enrichment in the SIEM or SOAR

A number of customers have made the decision to leverage GreyNoise across their entire SOC analyst team, by enriching all of the alerts in their SIEM or SOAR systems using the GreyNoise API. The insights provided by this approach are identical to the data shown in the GreyNoise Visualizer, but analysts save even more time by being able to stay in their alert management environment, without having to copy and paste IP addresses into an external system.