GreyNoise: Alert Tuning for the SOC Analyst’s Soul

Here at Hurricane Labs, we process a high volume of alerts for our customers–including a lot of noisy alerts, such as known benign scanners and internet background noise.

We spend a lot of time tuning customers’ environments to bring the noise down. As we add new customers and more detections, however, the alert volumes start increasing–and our analysts start facing alert fatigue. 

While this is normal for our business, having a tool to help us tune this noise back to manageable levels is important.

Enter GreyNoise.

What is GreyNoise

GreyNoise is an enrichment platform that is used to tune out the non-malicious noise from the internet. In their own words: “We collect, analyze, and label data on IPs that saturate security tools with noise. This unique perspective helps analysts confidently ignore irrelevant or harmless activity, creating more time to uncover and investigate true threats.” 

To a Security Operations Center (SOC), telling security analysts what they don’t need to worry about is ideal because it means less time spent working alerts that are not a threat and more time digging into suspicious activity.

How GreyNoise works

GreyNoise works by deploying honeypots throughout the internet that listen to the ongoing scanning. They then analyze the traffic, tag the signatures they see IPs scanning for, extract some metadata, and generate a “Classification” of Malicious, Benign, or Unknown based on the traffic and owner of the IP. Their website offers a deeper explanation of their methods as well.

How we use GreyNoise

We use GreyNoise both in our customer Splunk instances and in our internal Splunk Phantom. On customer Splunk instances, we use the `gnenrich` command, which returns enrichment such as whether or not the IP has been described as noise by GreyNoise as well as the actor, IP metadata, and the classification. 

Using that enrichment we can exclude known benign scanners from alerting for vulnerability scans, escalate the priority for known malicious scanners, and add enrichment to unknown scanners. 

In our internal phantom we can then correlate those known scanners, whether malicious or benign, to see trends or pay attention to specific GreyNoise tags that our customers may be vulnerable to. This allows us to provide the best possible service to customers as well as giving our analysts a step up on investigating the IP alerts.

Conclusion

GreyNoise is an invaluable tool that provides our SOC with a way to easily filter out noise, while at the same time providing important enrichment to serve our customers best interests.

If you want to hear more about how we use this tool, check out Greynoise’s interview with our Director of Splunk Operations, Steve McMaster.