GreyNoise Trends includes the ability to access a dynamic list of IPs that can be used in the Dynamic Block List feature in many of today's firewall products.
The blocklist URL is tied to a specific GreyNoise tag, providing a dynamically updated list of IPs that have been observed scanning for the specific tag activity in the last 24 hours.
To obtain the blocklist URL for a tag, navigate to the GreyNoise Trends page for the tag you want to dynamically block.
In the Actions section on the right-hand column there are two different components:
- Manual, which allows you to download a file containing the current list of IPs scanning in the last 24 hours
- Automatic, which allows you to grab an URL that can be used for Dynamic Block Lists.
From the Automated section of the Actions box, click the Block at NG Firewall link. This will open the details on the automated blocking feature. Depending on your account type, your user experience may vary slightly:
For those with access to Unlimited Blocklist URLs, a URL will be immediately available to be copied.
For those with access to a limited number of Blocklist URLs, a subscribe button will be presented. Once subscribed to a tag, the URL will be visible.
Tag subscriptions for the Trends Blocklist URLs can be viewed on the Account page.
At the bottom of the screen, select the Copy button to capture the URL to use for the Dynamic Block List.
This URL can now be used to populate Dynamic Block Lists on most major firewalls. Here are some links to additional vendor-specific documentation that shows how to apply this URL to a blocklist.
Auth Tokens in Blocklist URLs
When copying a Blocklist URL, an authentication token will be included as part of the URL so that additional authentication steps do not need to be taken when using this feature.
Updated 4 months ago