Firewall Blocking with GreyNoise Trends

Dynamic IP Blocking with GreyNoise Trends

The GreyNoise Trends feature includes the ability to generate a dynamic list of IPs that can be used in the Dynamic Block List feature in many of today's firewall products.

The blocklist URL is tied to a specific GreyNoise tag, providing a dynamically updated list of IPs that have been observed scanning for the specific tag activity in the last 24 hours.

To obtain the blocklist URL for a tag, navigate to the GreyNoise Trends page for the tag you want to dynamically block.


GreyNoise Trends page for Tag SaltStack Crawler

In the Actions section on the right-hand column there are two different components:

  • Manual, which allows you to download a file containing the current list of IPs scanning in the last 24 hours
  • Automatic, which allows you to grab an URL that can be used for Dynamic Block Lists.

Actions Section of GreyNoise Trends

From the Automated section of the Actions box, click the Block at NG Firewall link. This will open the details on the automated blocking feature. At the bottom of the screen, select the Copy button to capture the URL to use for the Dynamic Block List.


Block at Next-Gen Firewall Slide Out

This URL can now be used to populate Dynamic Block Lists on most major firewalls. Here are some links to additional vendor-specific documentation that shows how to apply this URL to a blocklist.


Upcoming Change to Block List URLs

At the initial launch of this feature, the Block List URLs will not require authentication to use. Once this feature moves out of BETA, an authorization mechanism will be in place to use this feature and will require updates to existing usage of the URLs. We intend to make this transition as frictionless as possible and will notify users when the Trends feature is updated.

Palo Alto Networks
Cisco ASA
Fortinet Fortigate


Vendor Configuration Sample