Overview

Every internet-facing environment is constantly under attack from automated scanners, vulnerability probes, botnet traffic, and mass-exploit tools. These generate thousands of alerts in Microsoft Sentinel that are not real threats - they are noise that an analyst has to dig through every day. Without a way to identify and remove this noise, SOC analysts spend the majority of their time on activity that requires no action, while genuinely targeted threats get buried.

The GreyNoise integration for Microsoft Sentinel ingests GreyNoise's real-time IP intelligence directly into the ThreatIntelIndicators table, making it available to all Sentinel analytics rules, hunting queries, and automation playbooks without any context switching or external lookups.

Key Capabilities

• Native Threat Intelligence Feed: GreyNoise IP indicators are ingested at a defined schedule into Sentinel's ThreatIntelIndicator table via an Azure Function App, no manual import, no context switching.
• Pre-Built Analytics Rules: Purpose-built KQL detection rules that match active log sources against GreyNoise indicators, covering inbound threats, authentication abuse, and outbound compromise signals.
• Workbooks: The GreyNoise Intelligence Threat Indicators workbook provides two dedicated views - indicator ingestion monitoring and threat indicator search - for continuous visibility.
• STIX-Format Indicators: Indicators are ingested as standard STIX-format Network IP objects, making them compatible with all Sentinel analytics, hunting queries, and automation playbooks out of the box.
• Classification-Aware Filtering: The connector supports filtering by classification type - malicious, suspicious, unknown, and/or benign - allowing teams to tune the feed for their specific detection needs.

Benefits for the SOC Team

Overview Video