Getting Started with Feeds

Overview

The Feeds feature allows GreyNoise customers with an Advanced and Elite platform license access to near-real-time visibility into attacker activity across the internet. With Feeds, you can subscribe to curated event streams that notify you when something important happens, such as an IP being reclassified or a CVE showing new exploitation activity.

Feeds are available directly in the GreyNoise Visualizer.

Who Can Access Feeds

• Available to: Advanced and Elite platform customers
• Available in: GreyNoise Visualizer

How to Get Started

Access the Feeds Menu

• Log in to the GreyNoise Visualizer.
• In the account menu drop-down, click on Feeds.

Create a new Feed

• Click the “Create Feed” button

• 

  In the feed creation menu:

  • Give the feed a name to help describe the functionality.
  • Select the Event Type for this Feed.
  • Use the "From" selections to determine the state change that will trigger a feed event to be sent.
  • Optional: Select or enter any additional configuration options to filter the event list, such as IP ranges or CVE numbers.
  • Enter the URL to the destination Webhook to receive the feed events.
  • Optional: Configure necessary header information to be included when events are sent to the webhook.
  • Optional: Use the Send Test Event functionality to test the connection to your destination system.
  • Click “Save” when done.

• Once successfully set up, events will appear near-real time, usually within 5 minutes of detection.

Next Steps

• Explore the Feed Reference to understand available feeds.
• Check out Use Cases to see how to operationalize Feeds in your workflows.

Feed Reference

Current Feed Event Types

At launch, three feeds are available. More topics will be added in future updates.

IP Classification Changes

• What it means: GreyNoise updates an IP’s classification (e.g., Unknown → Malicious).
• Why it matters: Helps you reprioritize alerts or block newly confirmed threats.
• Example event:

{
  "ip": "47.239.198.223",
  "event_type": "IP Classification Change",
  "old_state": {
    "classification": "unknown"
  },
  "new_state": {
    "classification": "malicious"
  },
  "timestamp": "2025-04-30T08:10:00Z"
}

CVE Status Changes

• What it means: GreyNoise changes how it reports a CVE (e.g., Observed → Active Exploitation).
• Why it matters: Lets you know when in-the-wild exploitation of a CVE begins or stops.
• Example event:

{
  "event_type": "cve-status-change",
  "cve": "CVE-2024-58136",
  "old_state": {
    "activity_seen": false,
    "benign_ip_count_10d": 0,
    "benign_ip_count_1d": 0,
    "benign_ip_count_30d": 0,
    "threat_ip_count_10d": 0,
    "threat_ip_count_1d": 0,
    "threat_ip_count_30d": 0
  },
  "new_state": {
    "activity_seen": true,
    "benign_ip_count_10d": 0,
    "benign_ip_count_1d": 0,
    "benign_ip_count_30d": 0,
    "threat_ip_count_10d": 1,
    "threat_ip_count_1d": 1,
    "threat_ip_count_30d": 1
  },
  "timestamp": "2025-09-29T13:20:23.022353819Z",
  "metadata": {}
}

CVE Activity Spike

• What it means: Receive real-time events when a user-defined surge of activity on a CVE occurs.
• Why it matters: Not all CVE exploitation attempts are equally important. A single scanner or researcher probing the internet can create unnecessary noise, leading to alert fatigue. The CVE Activity Spike feed reduces this noise by alerting only when exploitation reaches a user-defined threshold, so you decide what level of activity represents a meaningful surge worth your attention.
• Example event:

{
  "event_type": "cve-activity-spike",
  "cve": "CVE-2020-15505",
  "old_state": {
    "activity_seen": true,
    "benign_ip_count_10d": 0,
    "benign_ip_count_1d": 0,
    "benign_ip_count_30d": 0,
    "threat_ip_count_10d": 25,
    "threat_ip_count_1d": 6,
    "threat_ip_count_30d": 47
  },
  "new_state": {
    "activity_seen": true,
    "benign_ip_count_10d": 0,
    "benign_ip_count_1d": 0,
    "benign_ip_count_30d": 0,
    "threat_ip_count_10d": 29,
    "threat_ip_count_1d": 10,
    "threat_ip_count_30d": 51
  },
  "timestamp": "2025-09-29T17:30:27.161824826Z",
  "metadata": {}
}

Planned Future Topics

• New IPs observed for a tag
• New IPs added to RIOT
• New tag creation
• Sensor-based session events

If there are any feed topics you would like to create, please reach out to [email protected].

Use Cases for Feeds

Automated IP Blocking

• SOAR Workflows: Trigger automated playbooks when IPs shift to malicious.
• Firewall/WAF Rules: Dynamically update blocklists to minimize attacker dwell time.

Automated Vulnerability Response

• SOAR Workflows: Prioritize patching vulnerabilities that are actively exploited.
• Ticket Creation: Open tickets automatically when active CVE exploitation is detected.

Example Scenarios

• A CVE shifts from “no activity” → “active exploitation”; a ticket is generated for the Vulnerability Management team.
• An IP moves from Unknown → Malicious; the IP is added to your firewall blocklist.