Discover Emerging Threats
Use Case: Discover Emerging Threats
Listening to the internet allows GreyNoise to uncover unique behaviors and TTPs. We capture vulnerability lifecycles with our tags to show when scanners are looking for opportunities to exploit recently announced vulnerabilities. For example, when the F5 vulnerability was announced, our team quickly created tags to identify IPs scanning for targets to exploit. Teams can also dynamically research our data using GNQL, the GreyNoise query language.
Another common example is when a new CVE is released, that CVE can be queried each day to see the total number of IPs that are scanning for it, so a team can assess how critical this threat is to their organization and if a "break-the-glass" protocol should be enacted.
Scenario 1: Use GreyNoise Visualizer and CLI to Query the GreyNoise dataset
An analyst uses the GreyNoise Visualizer to monitor trends being tracked within GreyNoise and can also do advances queries for the Visualizer and CLI to aid in Threat Hunting or Incident Response.
![Screen Shot 2021-03-16 at 10.16.42 AM.png 1194](https://files.readme.io/4a342aa-Screen_Shot_2021-03-16_at_10.16.42_AM.png)
Querying the GreyNoise Visualizer daily for any new CVE tags/hits
![Screen Shot 2021-03-16 at 10.16.49 AM.png 1194](https://files.readme.io/2e10ef0-Screen_Shot_2021-03-16_at_10.16.49_AM.png)
Reviewing the GreyNoise trends page for anomalies and trends.
![Screen Shot 2021-03-19 at 2.02.36 PM.png 805](https://files.readme.io/8d67730-Screen_Shot_2021-03-19_at_2.02.36_PM.png)
Using the GreyNoise CLI to view GNQL Stats for CVEs detected in the last day
![Screen Shot 2021-03-19 at 2.03.05 PM.png 805](https://files.readme.io/52a125e-Screen_Shot_2021-03-19_at_2.03.05_PM.png)
Using the GreyNoise CLI to view GNQL IP Context Data for CVEs detected in the last day
![Screen Shot 2021-03-19 at 2.05.29 PM.png 805](https://files.readme.io/20b92b1-Screen_Shot_2021-03-19_at_2.05.29_PM.png)
Using the GreyNoise CLI to view GNQL IP Context Data for GN Tag: F5 BIG-IP TMUI RCEs detected in the last day
Scenario 2: Create a GreyNoise Alert to notify on CVE activity
In some cases, GreyNoise may add Tags and CVE profiles before the scanning behavior is seen or is very minimal. Using GreyNoise Alerts, you can be notified via email when GreyNoise sees activity matching a CVE or Tag and prioritize threat responses in your organization.
You can enable this by configuring an alert similar to cve:CVE-2021-12345 spoofable:false
.
![Screen Shot 2021-08-17 at 8.59.59 AM.png 1972](https://files.readme.io/861bf9f-Screen_Shot_2021-08-17_at_8.59.59_AM.png)
Creating a new alert in the GreyNoise Visualizer
This can also be done using tags, to inform you when scanning activity begins for a specific tag, such as tags:"Exchange ProxyShell Vuln Attempt"
![Screen Shot 2021-08-17 at 9.00.08 AM.png 1972](https://files.readme.io/ac4d9c0-Screen_Shot_2021-08-17_at_9.00.08_AM.png)
Editing an alert in the GreyNoise Visualizer
![Screen Shot 2021-08-18 at 10.18.04 AM.png 1130](https://files.readme.io/ef9fe50-Screen_Shot_2021-08-18_at_10.18.04_AM.png)
Sample alert email notification received from GreyNoise
Updated almost 3 years ago