Overview

The GreyNoise Integration for Google SecOps SIEM Consists of:

An ingestion script to pull GreyNoise indicators into SecOps via a GreyNoise Feed
A set of predefined dashboards that enable security analysts to visualize and monitor GreyNoise Intelligence data within Google SecOps SIEM.
A set of predefined saved searches that enable security analysts to quickly query and analyze GreyNoise Intelligence data within Google SecOps SIEM.
A set of YARA-L detection rules for automated threat detection and alerting using GreyNoise Intelligence data within Google SecOps SIEM.

Features

Ingestion Script

The GreyNoise Intelligence ingestion script for Google SecOps can be found in the Chronicle ingestion_scripts GitHub repo:

Chronicle Ingestion Scripts GitHub Repo

The overall flow of the script:

Deploying the script to Cloud Function
Data collection using ingestion script from GreyNoise API
GreyNoise data ingested into Google SecOps SIEM
Collected data will be parsed through corresponding parsers in Google SecOps

Prerequisites

Google SecOps SIEM instance
GreyNoise Intelligence platform (API Key)
GCP Project with the below required permissions:
- GCP user and project service account should have below permissions. Follow these steps to assign these permissions to the service account used for accessing other GCP services within your project.
  - Cloud Scheduler Job Runner
  - Secret Manager Secret Access
  - Storage Admin
  - Chronicle API Editor
  - Role Viewer
  - Cloud Run Invoker
GCP Services
- Before using the below services, ensure the Google APIs are enabled in your GCP project
- Cloud Run Function (4-core CPU or higher is recommended)
- GCS bucket
- Secret Manager
- Cloud Scheduler

Automatic deployment of the required resources

This section explains the use of the provided bash script to automate the deployment of the GreyNoise Intelligence ingestion function and related resources within your GCP project.

Prerequisites For Script Execution :

Access to a GCP project with sufficient permissions to enable APIs, create service accounts, IAM bindings, GCS buckets, Cloud Functions, Cloud Scheduler jobs, and Secret Manager secrets.
The Cloud Function source code packaged as a ZIP file in this format, available on your local machine or accessible within the Cloud Shell environment.

Steps:

Open Google Cloud Shell:
- Navigate to the Google Cloud Console (https://console.cloud.google.com).
- Click the "Activate Cloud Shell" in the upper right corner of the console. A terminal window will open within your browser.
Create the Script File:
- Choose a name for the script, for example, greynoise_deploy.sh.
- Use a text editor like nano to create the file in your Cloud Shell home directory: nano greynoise_deploy.sh
Paste the Script Content:
- Copy the entire content of the bash script provided from GitHub repo.
- Paste the script content into the nano editor. In Cloud Shell, you can typically right-click and select "Paste" or use Ctrl+Shift+V.
Save and Exit:
- Press Ctrl+X to exit nano.
- When prompted to save, press Y.
- Press Enter to confirm the filename (greynoise_deploy.sh).
Upload Your Cloud Function ZIP (if not already in Cloud Shell):
- If your function ZIP file is on your local machine, you need to upload it to Cloud Shell.
- Click the three-dot menu in the Cloud Shell terminal window.
- Select "Upload" and choose your ZIP file. It will be uploaded to your Cloud Shell home directory. Note the filename.
Make the Script Executable:
- Grant execute permissions to the script file: chmod +x greynoise_deploy.sh
Run the Deployment Script:
- Execute the script: ./greynoise_deploy.sh
Follow the Prompts:
- The script will prompt you to enter various configuration details, such as:
  - GCP Project ID & Region
  - Local path to your Cloud Function ZIP file (e.g., /home/username/your-function.zip)
  - Chronicle Customer ID
  - Chronicle Region
  - GreyNoise API Key Value (this will be stored securely in Secret Manager)
  - Other optional environment variables.
- Provide the requested information at each prompt. Required fields must be filled. Optional fields can be left blank to use defaults where applicable. These values can be obtained by following these steps.
Monitor the Output:
- The script will display progress messages, indicating which steps are being performed (e.g., enabling APIs, creating resources, deploying the function).
- Error messages will be shown in red. If an error occurs, the script is designed to stop. Review the error message to troubleshoot.
Post-Deployment:
- Once the script completes successfully, verify the resources in the GCP Console:
  - Check Cloud Functions to see your deployed function.
  - Check Cloud Scheduler to see the scheduled job.
  - Check GCS for the bucket and upload ZIP.
  - Check the Secret Manager for the GreyNoise API Key secret.
  - Review Cloud Logging for any function execution logs or errors.

Saved Searches

GreyNoise provides a set of Saved Searches to be used as a starting point for incorporating the GreyNoise indicators into Google SecOps.

Reference Information

The Saved Searches can be found at the following GitHub Link:

GreyNoise SecOps SIEM - Saved Searches

Create & Execute a Saved Search

Follow these steps to create and run a saved search in Google SecOps SIEM:

From Google SecOps SIEM, navigate to Investigation > SIEM Search.
Go to Search Manager, click on the + icon.
Copy and paste the Search Query in UDM SEARCH, Title in Title, and Description in Description from the searches listed below.
Click on SAVE EDITS.
Click on LOAD SEARCH.
Select Time Range.
Click on Run Search to execute the search query.

Available Saved Searches

Search Name	File	Description
GreyNoise - IP Risk & Vulnerability Details	`GreyNoise - IP Risk & Vulnerability Details.yaral`	Comprehensive security view with classification, anonymization signals, CVEs, and activity timeline.
GreyNoise - Indicator Context Summary	`GreyNoise - Indicator Context Summary.yaral`	Actor attribution, geographic details, organization info, and tags for contextual analysis.
GreyNoise - High Risk Indicators	`GreyNoise - High Risk Indicators.yaral`	Quick filter for MALICIOUS or SUSPICIOUS indicators requiring immediate investigation.
GreyNoise - All Indicator Lookup	`GreyNoise - All Indicator Lookup.yaral`	Browse all ingested GreyNoise indicators for ad-hoc investigations.

Saved Search Details

GreyNoise - IP Risk & Vulnerability Details

Description: Comprehensive security view of GreyNoise indicators including classification, anonymization signals, associated CVEs, and activity timeline.

Use Case: Use this search to identify IP addresses with known vulnerabilities and assess their risk profile based on GreyNoise classification and anonymization characteristics (Bot, Tor, VPN, Spoofable).

Query: View Query

Output Fields:

Field	Description
`$ip`	IP address of the indicator
`$classification`	GreyNoise threat verdict (MALICIOUS, SUSPICIOUS, BENIGN, UNKNOWN)
`$category`	Network category of the IP
`$bot`	Whether the IP is identified as a bot
`$tor`	Whether the IP is a Tor exit node
`$vpn_Service`	VPN service name if applicable
`$spoofable`	Whether the IP source can be spoofed
`$first_seen_date`	Date when the IP was first observed
`$all_cves`	Associated CVE identifiers
`$last_seen`	Most recent observation timestamp

GreyNoise - Indicator Context Summary

Description: Provides actor attribution, geographic details, organization info, and tags for quick indicator triage and contextual analysis.

Use Case: Use this search for rapid triage of indicators by viewing actor information, geographic origin, organization ownership, and associated tags to understand the context behind observed activity.

Query: View Query

Output Fields:

Field	Description
`$ip`	IP address of the indicator
`$classification`	GreyNoise threat verdict
`$description`	Human-readable description of the indicator
`$summary`	Threat summary information
`$actor`	Internet scanner actor attribution
`$country`	Geographic country/region of the IP
`$organization`	Organization that owns the IP
`$category`	Network category
`$first_seen_date`	Date when the IP was first observed
`$last_seen`	Most recent observation timestamp
`$primary_tag`	Associated GreyNoise tags

GreyNoise - High Risk Indicators

Description: Lookup filter to quickly identify indicators classified as MALICIOUS or SUSPICIOUS that require immediate investigation.

Use Case: Use this search as a priority filter during incident response to focus on high-risk indicators that need immediate attention.

Query: View Query

Output Fields:

Field	Description
All entity fields	Returns all GreyNoise indicator data with MALICIOUS and SUSPICIOUS classification

GreyNoise - All Indicator Lookup

Description: Browse all ingested GreyNoise indicators with business service context. Use as a starting point for ad-hoc investigations.

Use Case: Use this search as a general-purpose lookup to browse all GreyNoise indicators in your environment and start ad-hoc investigations.

Query: View Query

Output Fields:

Field	Description
All entity fields	Returns all GreyNoise indicator data with business service context

Dashboards

GreyNoise provides a set of dashboards as a starting point for visualizing GreyNoise indicators within Google SecOps.

Reference Information

The Saved Searches can be found at the following GitHub Link:

GreyNoise SecOps SIEM - Dashboards

Import a Dashboard

Follow these steps to import a dashboard into Google SecOps SIEM:

Log in to your Google SecOps instance.
In the navigation bar, click Dashboards.
Click New dashboard and then select Import from JSON. The Import dashboard confirmation dialog appears.
Click the Upload dashboard files button. The Select file dialog appears. Select the dashboard JSON file. The selected dashboard file will appear in the table.
Click Import to continue importing the dashboard to a personal or shared dashboard.

Available Dashboards

Dashboard Name	File	Description
Indicator Dashboard	`GreyNoise Indicator Dashboard.json`	Detailed view of GreyNoise indicators including classification distribution, top actors, organizations, tags, geographic data, CVE associations, and trend analysis.
Correlation Dashboard	`GreyNoise Correlation Dashboard.json`	IOC matches between GreyNoise intelligence and events in your environment with geolocation mapping and investigation capabilities.

Detection Rules

GreyNoise provides a set of YARA-L detection rules for automated threat detection and alerting using GreyNoise Intelligence data within Google SecOps SIEM.

Reference Information

The Saved Searches can be found at the following GitHub Link:

GreyNoise SecOps SIEM - Detection Rules

Overview

After collecting GreyNoise data into Google SecOps as entities, these detection rules enable automated correlation between your security events and GreyNoise threat intelligence. Each rule is designed for different threat detection scenarios and generates alerts when malicious or suspicious activity is identified.

Create & Enable Detection Rule

Follow these steps to deploy a detection rule in Google SecOps SIEM:

From Google SecOps SIEM, navigate to Detection > Rules & Detections.
Go to the Rules Editor Tab, click on the NEW button.
Copy and paste the Rule in editor.
Click on SAVE NEW RULE.
Click on 3 dots on the top right of the editor.
To generate alerts, Enable Alerting.
Enable Live Rule to activate Detection Rule.

Available Detection Rules

Rule Name	File	Description
GreyNoise Intelligence IP Match	`greynoise_intelligence_ip_match.yaral`	Detects events where source or principal IP matches a malicious or suspicious IP in GreyNoise intelligence.
GreyNoise Intelligence Inbound Network Traffic with ASN Context	`greynoise_intelligence_inbound_network_traffic_with_asn_context.yaral`	Detects allowed inbound firewall connections from malicious IPs flagged by GreyNoise with correlated ASN context.
GreyNoise Intelligence Brute Force Attack Detection	`greynoise_intelligence_brute_force_attack_detection.yaral`	Detects multiple blocked login attempts from IPs flagged by GreyNoise threat intelligence.

greynoise_intelligence_brute_force_attack_detection.yaral

rule greynoise_intelligence_brute_force_attack_detection {

  meta:
    author = "GreyNoise Intelligence"
    rule_name = "GreyNoise Intelligence Brute Force Attack Detection"
    description = "Detects multiple blocked login attempts from IPs flagged by GreyNoise threat intelligence."
    severity = "High"
    priority = "High"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1110 - Brute Force"
    tags = "cloud security, threat intelligence"

  events:
    $login.metadata.event_type = "USER_LOGIN"
    $login.security_result.action = "BLOCK"
    (
        $login.src.ip = $correlation_ip or
        $login.principal.ip = $correlation_ip
    )

    // GreyNoise entity match
    $greynoise.graph.metadata.event_metadata.base_labels.log_types = "GREYNOISE"
    $greynoise.graph.metadata.product_name = "GreyNoise Intelligence"
    $greynoise.graph.metadata.entity_type = "IP_ADDRESS"
    $greynoise.graph.entity.ip = $correlation_ip

  match:
    $correlation_ip over 15m

  outcome:
    $principal_ip = array_distinct($login.principal.ip)
    $principal_hostname = array_distinct($login.principal.hostname)
    $principal_user_userid = array_distinct($login.principal.user.userid)
    $principal_mac = array_distinct($login.principal.mac)
    $principal_ip_count = count($login.principal.ip)

    $source_ip = array_distinct($login.src.ip)
    $source_hostname = array_distinct($login.src.hostname)
    $source_user_userid = array_distinct($login.src.user.userid)
    $source_mac = array_distinct($login.src.mac)
    $source_ip_count = count($login.src.ip)

    $target_ip = array_distinct($login.target.ip)
    $target_hostname = array_distinct($login.target.hostname)
    $target_user_userid = array_distinct($login.target.user.userid)
    $target_mac = array_distinct($login.target.mac)

  condition:
    $login and $greynoise and ($principal_ip_count>5 or $source_ip_count>5)
}

greynoise_intelligence_inbound_network_traffic_with_asn_context.yaral

rule greynoise_intelligence_inbound_network_traffic_with_asn_context {

  meta:
    author = "GreyNoise Intelligence"
    rule_name = "GreyNoise Intelligence Inbound Network Traffic with ASN Context"
    description = "Detects allowed inbound firewall connections from malicious IPs flagged by GreyNoise with correlated ASN context."
    severity = "High"
    priority = "Critical"
    mitre_attack_tactic = "Initial Access"
    tags = "cloud security, threat intelligence"

  events:
    $network.metadata.event_type = "NETWORK_CONNECTION"
    $network.security_result.action = "ALLOW"
    re.regex($network.metadata.product_name, `(?i).*firewall.*`)
    (
        $network.src.ip = $correlation_ip or
        $network.principal.ip = $correlation_ip
    )

    // GreyNoise entity match
    $greynoise.graph.metadata.event_metadata.base_labels.log_types = "GREYNOISE"
    $greynoise.graph.metadata.product_name = "GreyNoise Intelligence"
    $greynoise.graph.metadata.entity_type = "IP_ADDRESS"
    $greynoise.graph.metadata.threat.threat_verdict = "MALICIOUS"
    $greynoise.graph.entity.ip = $correlation_ip
    (
        re.capture($network.principal.ip_geo_artifact.network.asn, `(\d+)`) = re.capture($greynoise.graph.entity.ip_geo_artifact.network.asn, `(\d+)`)
        or
        re.capture($network.src.ip_geo_artifact.network.asn, `(\d+)`) = re.capture($greynoise.graph.entity.ip_geo_artifact.network.asn, `(\d+)`)
    )

  match:
    $correlation_ip over 1h

  outcome:
    $principal_ip = array_distinct($network.principal.ip)
    $principal_hostname = array_distinct($network.principal.hostname)
    $principal_user_userid = array_distinct($network.principal.user.userid)
    $principal_mac = array_distinct($network.principal.mac)

    $source_ip = array_distinct($network.src.ip)
    $source_hostname = array_distinct($network.src.hostname)
    $source_user_userid = array_distinct($network.src.user.userid)
    $source_mac = array_distinct($network.src.mac)

    $target_ip = array_distinct($network.target.ip)
    $target_hostname = array_distinct($network.target.hostname)
    $target_user_userid = array_distinct($network.target.user.userid)
    $target_mac = array_distinct($network.target.mac)

  condition:
    $network and $greynoise
}

greynoise_intelligence_ip_match.yaral

rule greynoise_intelligence_ip_match {

  meta:
    author = "GreyNoise Intelligence"
    rule_name = "GreyNoise Intelligence IP Match"
    description = "Detects events where source or principal IP matches a malicious or suspicious IP in GreyNoise intelligence."
    severity = "High"
    priority = "Medium"
    tags = "cloud security, threat intelligence"

  events:
    $network.metadata.event_type != "GENERIC_EVENT"
    (
        $network.src.ip = $correlation_ip or
        $network.principal.ip = $correlation_ip
    )

    // GreyNoise entity match
    $greynoise.graph.metadata.event_metadata.base_labels.log_types = "GREYNOISE"
    $greynoise.graph.metadata.product_name = "GreyNoise Intelligence"
    $greynoise.graph.metadata.entity_type = "IP_ADDRESS"
    (
        $greynoise.graph.metadata.threat.threat_verdict = "MALICIOUS"
        or
        $greynoise.graph.metadata.threat.threat_verdict = "SUSPICIOUS"
    )
    $greynoise.graph.entity.ip = $correlation_ip

  match:
    $correlation_ip over 1h

  outcome:
    $principal_ip = array_distinct($network.principal.ip)
    $principal_hostname = array_distinct($network.principal.hostname)
    $principal_user_userid = array_distinct($network.principal.user.userid)
    $principal_mac = array_distinct($network.principal.mac)

    $source_ip = array_distinct($network.src.ip)
    $source_hostname = array_distinct($network.src.hostname)
    $source_user_userid = array_distinct($network.src.user.userid)
    $source_mac = array_distinct($network.src.mac)

    $target_ip = array_distinct($network.target.ip)
    $target_hostname = array_distinct($network.target.hostname)
    $target_user_userid = array_distinct($network.target.user.userid)
    $target_mac = array_distinct($network.target.mac)

  condition:
    $network and $greynoise
}