Identify Compromised Devices
Use Case: Identify Compromised Devices
GreyNoise’s internet background noise dataset can help uncover potentially compromised devices. As a byproduct of capturing internet noise, GreyNoise sees activity from over 100,000 compromised devices everyday. Defenders can leverage this insight to see if IPs that they care about are engaging in unapproved internet scanning or attack behavior. The GreyNoise Alerts feature notifies analysts when an IP they care about shows up in our data. This feature can also assist third-party risk programs to get a perspective on out-of-reach networks.
Scenario 1: GreyNoise Alert for Corporate CIDR Blocks
Alerts are configured within the GreyNoise Visualizer alerts interface to notify if a corporate IP is seen scanning the internet. Alerts from GreyNoise can be ingested into an appropriate platform so that an incident investigation can be started.
Scenario 2: Daily GreyNoise Alert for Org and ASN
Query GreyNoise through a SIEM or SOAR integration to identify scanning activity by ASN or Organization of interest. If results are returned from the query, each instance triggers an investigation for further review.
Secenario 3: SOAR On-Poll Usage
Within most SOAR tools, there exists the ability to run a set task at a specific time each day. This can be used to run a GNQL search with the alert criteria desired, such as
ip:188.8.131.52/24 last_seen:1d, and create an alert within the SOAR tool for each IP address returned. This allows analysts to identify and triage any potential compromised devices directly in the SOAR tool.
Updated about 2 years ago