GreyNoise
Guides

Elasticsearch Use Case Guide 1

Reducing Alert Volume and Surfacing Targeted Threats

Overview

Every internet-facing organization is bombarded by automated scanners, bots, and opportunistic exploitation tools, generating thousands of firewall alerts per day that are not real threats. This leads to alert fatigue that overwhelms SOC analysts, causing them to ignore alerts and miss real targeted attacks that get buried in the noise.

The GreyNoise Solution

GreyNoise maintains a global sensor network that observes which IPs are conducting mass, indiscriminate internet scanning. By integrating GreyNoise threat indicators directly into Elastic Security, it can automatically identify and remove known mass-scanning traffic from your Elastic alerts. The residual traffic after filtering, traffic that is unknown to GreyNoise, carries a higher probability of being a genuine, targeted attack against your organization.

The core logic is simple:

"If an IP is hitting everyone on the internet, it is not targeting YOU. Filter it out."

Elastic Security Limitation

This use case is not currently supported by Elastic Security Indicator Match rules.

Indicator Match rules are designed to generate alerts only when a positive correlation exists between event data and a threat intelligence indicator. While Elastic supports both MATCHES and DOES NOT MATCH operators in threat mappings, every Indicator Match rule must contain at least one MATCHES condition.

As documented by Elastic:

Mapping entries that only use DOES NOT MATCH are not supported. At least one entry must have a MATCHES condition.

Because of this requirement, it is not possible to create an Indicator Match rule that exclusively detects events where an IP field from a source index does not match any threat.indicator.ip in the GreyNoise threat intelligence index.

For example, it is not possible to create a rule whose sole purpose is to detect events where:

source.ip DOES NOT MATCH threat.indicator.ip

As a result, Elastic Security cannot generate alerts for events whose IP addresses lack a corresponding GreyNoise indicator record.

Updated about 5 hours ago

What’s Next