GreyNoise (BETA)
This feature is available in version 1.32 and newer.
You will need to accept new Terms of Service for Panther and GreyNoise in the Panther Console to use this feature.
Panther's GreyNoise integration is currently in public beta. Please share any bug reports and feature requests with your account team.
Panther has partnered with GreyNoise Intelligence, a cybersecurity platform that collects and analyzes Internet-wide data, to provide integrated threat intelligence to Panther customers.
Use Panther detection capabilities with GreyNoise threat intelligence data to reduce false-positive alerts by:
  • Ruling out internet background noise from external event sources to ensure you're focused on most critical events first..
  • Identifying potential opportunistic attacks that may have been allowed into your perimeter.
  • Identifying emerging threats based on GreyNoise context data and tagging.

Overview

The video below shows a demo of the GreyNoise functionality in Panther using the Basic package, which is available at no additional cost to all Panther customers.
Overview of using GreyNoise data sets with Panther
GreyNoise helps security analysts save time by revealing which events and alerts they can ignore. They do this by curating data on IPs that saturate security tools with noise. This perspective helps analysts ignore irrelevant or harmless activity, creating more time to uncover and investigate true threats. For more information, please visit greynoise.io.

GreyNoise Data Sets

GreyNoise data in Panther comes in two flavors: Noise and RIOT.
The Noise data set features information from GreyNoise’s internet-wide sensor network that passively collects packets from hundreds of thousands of IPs seen scanning the internet every day. GreyNoise analyzes and enriches this data to identify behavior, methods, and intent, giving analysts the context they need to take action. Noise data is refreshed approximately every hour in Panther.
The RIOT data set contains IPs used by common business services that are not likely to be used to attack your services. RIOT enables security practitioners to quickly eliminate logs and events generated from common business services from their security telemetry to quickly rule them out. RIOT data is refreshed approximately every four hours in Panther.

GreyNoise Packages in Panther

The native GreyNoise integration with Panther includes two different packages options: Basic and Advanced. Both packages include the Noise and RIOT data sets.

GreyNoise Basic Package

GreyNoise Advanced Package

  • Available at additional cost (requires GreyNoise Automate product)
    • 30-day free trial available upon request
  • Provides full context details from GreyNoise for advanced filtering and hunting
Contact your Panther representative to get started with a free trial of GreyNoise Advanced.

How Panther and GreyNoise Work Together

The following diagram describes the alert lifecycle in Panther, where native enrichment with GreyNoise and Lookup Tables is supported:
  • Alert events are automatically enriched with both custom Lookup Tables and native GreyNoise data under the p_enrichment field in JSON events.
  • GreyNoise data can be used in detections with pre-built Python helpers (and deep_get) to access enrichment information.
  • GreyNoise data sets are stored as Panther-managed Lookup Tables in bulk, so there is no need to make API calls to leverage this enrichment in your detection logic or alerts.