Overview

This integration enables seamless ingestion, enrichment, and visualization of GreyNoise threat intelligence data within Elastic Security. It supports continuous collection of GreyNoise indicators and enriches security events with contextual threat intelligence, including malicious classifications, scanner identification, ASN information, VPN/Tor detection, and actor context.

The integration also provides native Kibana dashboards, ECS-compatible enrichment, and support for Elastic Security detection rules, Indicator Match workflows, and threat hunting investigations.

Release Notes

Here is the link for the latest changelog.

Compatibility Matrix

• Browser: Google Chrome, Mozilla Firefox
• OS: Platform independent.
• Elastic Version: ^8.17.0

Capability to Ingest GreyNoise Feed Data into an Elasticsearch Index

This integration enables ingestion of GreyNoise feed data directly into Elasticsearch indices for advanced searching, correlation, threat hunting, and long-term retention. The indexed documents contain complete GreyNoise enrichment and indicator information for each ingested IP indicator.

Installation

1. In Kibana, go to Management > Integrations.

2. In the "Search for integrations" search bar, type GreyNoise.

3. Click the GreyNoise integration from the search results.

4. Click the Add GreyNoise button to add the integration.

5. While adding the integration, provide the following details to collect logs via REST API:

   1. API Key
      The GreyNoise API key used to authenticate API requests.

   2. Interval
      The duration between consecutive requests to the GreyNoise API. Due to API limitations, this value must be greater than 1 hour. Supported time units: h. Default: 24h

   3. Query (Optional)
      A query used to filter the results returned by the API. Do not include the last_seen field in the query, as it is automatically set to a fixed value of 1d. Default: classification:malicious

   4. Page Size
      The number of results returned per page when paginating through query results. The maximum supported value is 5000. Default: 5000

   5. HTTP Client Timeout
      The duration before the HTTP client considers a connection attempt timed out. Supported time units: ns, us, ms, s, m, h. Default: 5m

      

6. If required, configure any additional Elastic Agent settings such as Proxy settings, SSL/TLS configuration, Preserve Original Event, Tags, and Processors according to your environment and deployment requirements.

7. Click Save and Continue to save the integration.

The GreyNoise integration is now successfully installed and collecting IOC data from GreyNoise.

View GreyNoise IOC Data

To view the collected IOC data, navigate to Discover and create a data view using the logs-ti_greynoise.ip* index pattern:

1. Click the Data view drop-down in the Discover page.
2. Click on Create a data view.
3. Enter a name for the data view, for example, GreyNoise IOCs.
4. In the Index pattern field, enter logs-ti_greynoise.ip*.
5. Select @timestamp as the Timestamp field.
6. Click on Save.

GreyNoise data may contain multiple records for the same IOC over time. To view only the most recent IOC entries, create a data view using the logs-ti_greynoise_latest.ip* pattern:

7. Click the Data view drop-down in the Discover page.
8. Click on Create a data view.
9. Enter a name for the data view, for example, GreyNoise Latest IOCs.
10. In the Index pattern field, enter logs-ti_greynoise.ip*.
11. Select @timestamp as the Timestamp field.
12. Click on Save.

Support for Elastic Security - Threat Intelligence

GreyNoise Integration for Elasticsearch provides integration with Elastic Security Threat Intelligence workflows. GreyNoise indicator data can be leveraged within Elastic Security for threat enrichment, Indicator Match rules, Timeline investigations, and custom detection pipelines.

Enrichment with detection rules

Detection Rules match your Elastic environment data with GreyNoise data and generate an alert when a match is found.

Steps to create a detection rule

1. Navigate to Security > Rules > Detection Rules and click Create New Rule.

2. Select Indicator Match as the rule type and make the following changes.

3. In the Define Rule section:

   1. Index Pattern: Add the index pattern relevant to the data you want to monitor. For best results, use perimeter or network traffic data, such as firewall, IDS/IPS, VPN, proxy, or network flow logs (for example, logs-panw.*, logs-cisco_asa.*, or logs-suricata.*). Keep the pattern as specific as possible for better performance.

   2. Custom Query: Must include NOT event.module : "ti_greynoise" to exclude GreyNoise events. Optionally, further refine the query to focus on specific types of traffic. For example:

      1. Inbound network traffic only:
         NOT event.module : "ti_greynoise" AND network.direction : "inbound"
      2. Successful inbound connections only:
         NOT event.module : "ti_greynoise" AND network.direction : "inbound" AND event.outcome : "success"
      3. Firewall allow events only:
         NOT event.module : "ti_greynoise" AND event.category : "network" AND event.type : "allowed"

   3. Indicator index patterns: Use logs-ti_greynoise_latest.ip*.

   4. Indicator index query: Refine indicator index with something like @timestamp >= "now-7d/d".

   5. Indicator Mapping:

      1. Field: Map to the field in your Elastic environment containing IPs.
      2. Indicator Index Field: threat.indicator.ip

   6. Required fields (Optional): Add threat.indicator.ip.

   7. Related integrations (Optional): Add GreyNoise.

      

4. In the About Rule section:

   1. Name: e.g GreyNoise Custom IP IOC Correlation.

   2. Description: e.g., This rule is triggered when IP Address IOC's collected from the GreyNoise Integration have a match against IP Addresses that were found in the customer environment.

   3. Default Severity: e.g., critical.

   4. Tags: Add GreyNoise (used for filter Alerts generated by this rule by rule transforms).

      

   5. Max alerts per run: Default is 100; configurable up to 1000.

   6. Indicator prefix override: Set to greynoise.ip to enrich alerts with GreyNoise data.

      

5. In the Schedule Rules section:

   1. Set Runs Every - Defines how frequently the rule runs.

   2. Additional Lookback Time - Specifies how far back to check for matches.

      

Once the rule is saved and enabled, alerts will appear in the Security > Alerts section when matches are detected.

The following transform and its associated pipelines are used to filter relevant data from alerts. Follow Steps to enable rule transforms to enable these transforms and populate the Threat Intelligence dashboard.

Steps to enable rule transforms

1. Navigate to Stack Management > Transforms in Kibana.

2. Locate the transform you want to enable by searching for its Transform ID.

3. Click the three dots next to the transform, then select Edit.

   

4. Under the Destination configuration section, set the Ingest Pipeline:

   1. Rule transform in the GreyNoise integration has a corresponding ingest pipeline.

   2. Refer to the Transforms table above for the appropriate pipeline name associated with the transform.

   3. Prefix the pipeline name with the integration version. For example:{package_version}-ti_greynoise-correlation_detection_rule-pipeline

   4. Click Update to save the changes.

      

5. Click the three dots again next to the transform and select Start to activate it.

For Upgrades

Follow the steps described in the provided guide to upgrade the Elastic integration.
Note:

• Updating the integration will stop the rule transform.
• After the integration upgrade is completed, reconfigure the rule transform by adding the pipeline for the updated integration version, as described in Steps to enable rule transforms section above.

Dashboards

The GreyNoise integration includes the following dashboards:

1. Threat Feed Overview:
   • This dashboard provides an overview of Threat Feed IOCs collected via GreyNoise, focusing on IOC distribution and threat analysis.
   • This dashboard provides a comprehensive view of IP indicators collected using GreyNoise data. It delivers insights into event distribution, threat analysis, and categorized breakdowns by classification.
   • Key metrics include unique IP IOCs. IOCs are further analyzed by classification types, country, business service category, and actors to identify patterns.
   • Saved search to provide essential IP details.

2. Threat Intelligence:
   • This dashboard provides a comprehensive view of threat intelligence events detected using GreyNoise data. It delivers insights into event distribution, threat analysis, and categorized breakdowns by classification.
   • Key metrics include the total number of detected events and the number of unique IPs detected. Detected events are further analyzed by classification types, country, tags, business service category, and actors to identify patterns.