GreyNoise

Overview

Panther has partnered with GreyNoise, a cybersecurity platform that collects and analyzes Internet-wide data, to provide integrated threat intelligence to Panther customers. The GreyNoise integration is an Enrichment Provider, also known as a Panther-managed Lookup Table.

Use GreyNoise threat intelligence data in your Panther detections to reduce false-positive alerts by:

Ruling out internet background noise from external event sources to ensure you're focused on most critical events first.
Identifying potential opportunistic attacks that may have been allowed into your perimeter.
Identifying emerging threats based on GreyNoise context data and tagging.

The video below shows a demo of the GreyNoise functionality in Panther using the Basic package, which is available at no additional cost to all Panther customers.

GreyNoise helps security analysts save time by revealing which events and alerts they can ignore. They do this by curating data on IPs that saturate security tools with noise. This perspective helps analysts ignore irrelevant or harmless activity, creating more time to uncover and investigate true threats. For more information, please visit GreyNoise's website.

Learn how to view stored Enrichment Provider data here, and how to view log events with enrichment data here.

GreyNoise datasets

Both of GreyNoise's Noise and RIOT datasets are available in Panther. Learn more about them in the GreyNoise Understanding GreyNoise Datasets documentation.

Noise dataset

The Noise dataset features information from GreyNoise’s internet-wide sensor network that passively collects packets from hundreds of thousands of IPs seen scanning the internet every day. GreyNoise analyzes and enriches this data to identify behavior, methods, and intent, giving analysts the context they need to take action.

Noise data is refreshed approximately every hour in Panther.

RIOT dataset

The RIOT dataset contains IPs used by common business services that are not likely to be used to attack your services. RIOT enables security practitioners to quickly eliminate logs and events generated from common business services from their security telemetry to quickly rule them out.

RIOT data is refreshed approximately every four hours in Panther.

GreyNoise packages in Panther

The native GreyNoise integration with Panther includes two different packages options: Basic and Advanced. Both packages include the Noise and RIOT data sets.

GreyNoise Basic Package

Included with the Panther subscription for all customers for unlimited use
Answers the question: “Is this internet background noise or a common business service IP?”
The data set is limited to a few fields of data

GreyNoise Advanced Package

Requires a paid Search Level 6+ subscription tied to your GreyNoise plan
- 30-day free trial available upon request
Provides full context details from GreyNoise for advanced filtering and hunting

Contact your Panther representative to get started with a free trial of GreyNoise Advanced.

How Panther and GreyNoise work together

The following diagram visualizes the alert lifecycle in Panther, where native enrichment with GreyNoise and Lookup Tables is supported:

Alert events are automatically enriched with GreyNoise data (and Custom Lookup Tables data) within the p_enrichment field in JSON events.
GreyNoise data can be accessed in detections with pre-built Python helpers (and deep_get).
GreyNoise datasets are stored as Panther-managed Lookup Tables in bulk, so there is no need to make API calls to leverage this enrichment in your detection logic or alerts.

PreviousAnomali ThreatStream (Beta)NextBasic vs. Advanced

Last updated 27 days ago