Identify Compromised Devices

Use Case: Identify Compromised Devices

GreyNoise’s internet background noise dataset can help uncover potentially compromised devices. As a byproduct of capturing internet noise, GreyNoise sees activity from over 100,000 compromised devices everyday. Defenders can leverage this insight to see if IPs that they care about are engaging in unapproved internet scanning or attack behavior. The GreyNoise Alerts feature notifies analysts when an IP they care about shows up in our data. This feature can also assist third-party risk programs to get a perspective on out-of-reach networks.

Scenario 1: GreyNoise Alert for Corporate CIDR Blocks

Alerts are configured within the GreyNoise Visualizer alerts interface to notify if a corporate IP is seen scanning the internet. Alerts from GreyNoise can be ingested into an appropriate platform so that an incident investigation can be started.

627

Alert creation interface.

Scenario 2: Daily GreyNoise Alert for Org and ASN

Query GreyNoise through a SIEM or SOAR integration to identify scanning activity by ASN or Organization of interest. If results are returned from the query, each instance triggers an investigation for further review.

569

An alert result for a monitored ASN.

Secenario 3: SOAR On-Poll Usage

Within most SOAR tools, there exists the ability to run a set task at a specific time each day. This can be used to run a GNQL search with the alert criteria desired, such as ip:16.25.23.0/24 last_seen:1d, and create an alert within the SOAR tool for each IP address returned. This allows analysts to identify and triage any potential compromised devices directly in the SOAR tool.

790

Phantom includes an On Poll configuration setting for this functionality.