About Sensor Activity Feed

What is the Sensor Activity Feed?

The Sensor Activity Feed is a product feature designed for GreyNoise Sensor users, including Threat Analysts, Threat Hunters, and Detection Engineers. It is an API that responds with a feed of IP sessions summarizing what is hitting the sensors in your workspace. Users can import the feed into a TIP, SIEM, or SOAR for further enrichment, correlation, or analysis actions. The feed includes helpful fields such as the sensor ID, persona ID, source IP and port, destination IP and port, and session size.

Future feed versions will be enriched with GreyNoise tags, CVEs, GreyNoise classifications, geolocation data, and the ability to pull session payloads. The goal is to give users easy access to their GreyNoise Sensor collected data, allowing them to plug it into existing platforms and workflows.

Access to the feed requires an active Enterprise subscription with feed access or a Sensor trial. For more information, don't hesitate to get in touch with your CSM or contact our sales team.

Why would I use the Sensor Activity Feed?

Deploying a honeypot often results in digging through a lot of data to find malicious activity. The Sensor Activity Feed rolls that data into enriched IP sessions, helping you pinpoint threats and jump straight into analysis.

Use Cases

Early warning alerts and hunting for threats

Using the source IP addresses from your sensor feed sessions, you can enrich and correlate that activity across your organization using your TIP, SIEM, or SOAR platforms. For example, if your sensor is running a persona mimicking a recently released CVE, you might want to investigate IPs hitting that sensor to check if they are also hitting the GreyNoise global network or just targeting your organization. Going further, you could pull back PCAP data from your sensor and view network traffic from that IP to identify potential exploitation activity or analyze payloads.

Investigating targeted activity, creating detections, and blocking

The sensor activity feed can be used to alert on IP addresses targeting your sensors. This is especially useful when running sensor personas that look like applications or devices critical to your organization. Identifying attackers performing reconnaissance or attempting to exploit your sensor provides your team with intelligence that can be turned into detections or IoCs that contribute to blocking actions.