GreyNoise
Guides
Start typing to search…

SIEM Integration Overview: Crowdstrike NG-SIEM

Install Foundry App

The GreyNoise Threat Intel app for Foundry is located in the Templates section of Falcon Foundry.

Navigate to Foundry --> Templates --> Search for GreyNoise Threat Intel. Then click the Deploy button.

After the app template is deployed, navigate to Foundry --> App Manager --> Click on the GreyNoise Threat Intel App.

Click the Release Button to create the first Release available, selecting Major release and giving it a comment of something similar to "Initial Release":

The app is now available to be configured in the App Catalog. Click the Install Now button:


Foundry App Components

The GreyNoise Foundry App for CrowdStrike Falcon includes three components:

  • An integration to the GreyNoise API to use within Fusion SOAR Workflows
  • A logic function that interacts with the GreyNoise API to create a Lookup File and uploads it to NG-SIEM
  • A pre-built Workflow to run the logic function daily at 0300 UTC.

Configure an Instance of the GreyNoise App

After installing the Foundry App, two configuration sections need to be configured.

GreyNoise API Configuration

This setting section includes two values and enables the authentication for adding GreyNoise API actions into Fusion SOAR workflows.

  • Name: A name for the API credentials to help identify them, i.e. GreyNoise - Service Account Alpha
  • API Key: The API key to be used, from the GreyNoise Visualizer: Visualizer - My API Key

Workflow Settings

This section provides the necessary settings for the automated workflow that creates and uploads the CSV file daily into the NG-SIEM Lookup files section.

  • API Key: The API key to be used, from the GreyNoise Visualizer: Visualizer - My API Key
  • Max Indicator Count: This option allows you to set a cap on the maximum number of indicators that will be stored in the lookup file. Ideally, this number should be larger than the total number of indicators in the defined query if you desire the file to contain all indicators from the query.
  • Query: The GreyNoise Query (GNQL) retrieves indicators from the GreyNoise API. By default, this should be set to last_seen:1d which will allow for all indicators observed in the last 24h to be stored in the lookup file.
  • Repository: This should be the name of the NG-SIEM lookup file repository that the Lookup File will be uploaded to with NG-SIEM. A default value of search-all will most commonly be used.

Lookup File Workflow

The Foundry App installs and auto-enables a workflow to update the GreyNoise Lookup file daily. The workflow includes the following components:

  • Workflow: GreyNoise Indicator Import Scheduler
  • Function: greynoise-ti-bulk-import

Once the settings are configured, the workflow can be found in the Fusion SOAR Workflows section and should be marked as enabled:

The execution log will show the state of each of the workflow runs:

This will then generate and update the ti_greynoise_indicators.csv file within NG-SIEM:

Incorporating the Lookup File

The lookup file is designed to use the match() function to incorporate the GreyNoise data into the searches created within NG-SIEM. This additional metadata can then be used to filter out unnecessary events or to create additional alert types, depending on the use case.

The following is a sample search incorporating the lookup file:

#type = "greynoise-sensor-data"
| match(file="ti_greynoise_indicators.csv", field=[source.ip] , column=[source.ip], strict=false) 
| "source.ip.greynoise.internet_scanner_intelligence.found" != True

Dashboards

The GreyNoise lookup file intelligence can also be incorporated into dashboards to monitor data sources and bring important information into view for users:


Updated 18 days ago