Firewall Blocking with GreyNoise Trends

Dynamic IP Blocking with GreyNoise Trends

The GreyNoise Trends feature includes the ability to generate a dynamic list of IPs that can be used in the Dynamic Block List feature in many of today's firewall products.

The blocklist URL is tied to a specific GreyNoise tag, providing a dynamically updated list of IPs that have been observed scanning for the specific tag activity in the last 24 hours.

To obtain the blocklist URL for a tag, navigate to the GreyNoise Trends page for the tag you want to dynamically block.

On the right-hand column, expand the Block at firewall menu:

At the bottom of the screen, click the Create Blocklist button.

On the Create Blocklist slide-out menu, click the Create Blocklist button. Optionally, set the IP Limit to the maximum number of IPs to include in the list.

The Blocklist is now listed under the Automate --> Blocklists menu.

Once the Status changes from Provovisining to Enabled click the Copy Blocklist URL icon next to the Blocklist URL.

This URL can now be used to populate Dynamic Block Lists on most major firewalls. Here are some links to additional vendor-specific documentation that shows how to apply this URL to a blocklist.

Palo Alto Networks
Cisco ASA
Fortinet Fortigate
Sophos Firewall