How to Use GreyNoise to Enhance Detections

Enable GreyNoise Data Sets

GreyNoise data sets are stored as Panther-managed Lookup Tables in bulk. The Basic GreyNoise data sets are available to all Panther accounts and are disabled by default.

Incoming events will only be enriched with GreyNoise data if the IP address in the event has been detected by GreyNoise. You can check if GreyNoise has detected a particular IP address by using their online tool here.

If you are using a CI/CD workflow, please see the CI/CD Users section below to learn about additional considerations.

To enable a user role to view and manage GreyNoise packages in the Panther Console, it must be assigned the View Lookups and Manage Lookups permissions.

To enable GreyNoise data sets:

Log in to your Panther Console.
From the left sidebar menu, click Build > Packs.
- On this page, you can see built-in packs available for both GreyNoise Basic and GreyNoise Advanced. Packs are disabled by default, so to use GreyNoise data you will need to enable them first.
On the right side of the tile labeled GreyNoise Basic, click the toggle to enable the pack.
Click Continue in the dialog that appears.
- If you'd like to make additional changes through CI/CD with the panther_analysis_tool, please contact your Panther representative for more information.
To verify if the GreyNoise data sets are enabled, from the left sidebar menu, click Configure > Enrichment Providers.
- On this page, you can see Panther-managed enrichment sources (such as GreyNoise). You can also see whether the sources are currently enabled or disabled and when a source’s data was last refreshed.
- In the screen shot below, you can see the four source tables provided by GreyNoise and the time they were last refreshed. Disabled data sets will not be refreshed.

GreyNoise data (both Basic and Advanced) is not available to view or query in the Data Explorer. The "View in Data Explorer" option is hidden for GreyNoise tables, but may be shown for other Panther managed lookup sources.

Testing detections that use GreyNoise

Adding tests to your detections is good practice, and ensures that your detection is working as expected. To use GreyNoise information in a test event, you can either:

Artificially mark one or more IPs in your test event as having a certain GreyNoise classification, by pasting in a fake p_enrichment struct with GreyNoise data. Modify the classification value, and any other values relevant to your detection.
Fetch a real IP that GreyNoise has given a certain classification, paste it in your test event, then click Enrich Test Data.
- With this approach, be aware that GreyNoise IP classifications can change.

CI/CD users

To enable the GreyNoise Enrichment Provider in the CLI workflow, see the Managing Lookup Tables and Enrichment Providers with the Panther Analysis Tool guide.

Please note the following considerations:

CI/CD users do not need to use Detection Packs to get GreyNoise Lookup Tables. You can pull in the latest release of panther-analysis and use the panther_analysis_tool (PAT) to upload the GreyNoise Lookup Tables.
It is possible for CI/CD users to enable GreyNoise Lookup Tables via Detection Packs, as long as you do not customize the GreyNoise tables using PAT.
- If you choose to manage GreyNoise through PAT after enabling it in the Panther Console, you must first disable the Detection Packs in the Panther Console. Simultaneous use of both the Panther Console and PAT to manage GreyNoise is not supported.
For more information on how to manage GreyNoise Lookup Tables, please see the GreyNoise files in Panther's Github repository.

Example: Modify an alert's severity based on GreyNoise classification

In this example, we will modify a pre-built rule in your Panther Console called Brute Force By IP to detect issues specifically in Okta and to incorporate GreyNoise.

For this rule, we're going to modify the alert’s severity depending on whether GreyNoise reports that the IP is malicious or benign. We're also going to add a function to display the GreyNoise alert context in the alert destination, if the context is available.

Prerequisite: In this example, the Brute Force By IP rule logic for Okta has already been written.

In the left-hand navigation bar of your Panther Console, click Build > Detections.
Click the Okta Brute Force By IP detection.
Click Edit Rule, then click the Functions & Tests tab.
In the Rule Function section, add the following Python command to import Panther GreyNoise helpers:
```
from panther_greynoise_helpers import GetGreyNoiseObject
```

Modify the Rule Function to retrieve the GreyNoise data and create a GreyNoise noise object:

def rule(event):
    global noise
    noise = GetGreyNoiseObject(event)
    if (event.get("eventType") == "user.session.start" and deep_get(event, "outcome", "result") == "FAILURE"):
        return True
    return False

At the bottom of the field, replace the severity(event) function with the following code:
```
 def severity(event):   
    if noise.classification("client.ipAddress") == "malicious":
        return "CRITICAL"
    if noise.classification("client.ipAddress") == "benign":
        return "LOW"
    return "MEDIUM"
```
- This modification will determine severity based on whether GreyNoise reports that the IP is malicious or benign. In this example, if GreyNoise indicates that the IP is malicious, the alert will be assigned critical severity. If GreyNoise indicates that the IP is benign, the alert will be assigned low severity. If the IP is not classified as malicious or benign, the alert will be assigned medium severity.

Below that, add the following code to provide the contextual noise.actor, noise.classification, and noise.ip_address GreyNoise information in the delivered alert:

  def alert_context(event): 
    context ={"message": "No GreyNoise Data Available"}
    if noise.classification:
        context = {
            "actor": noise.actor("client.ipAddress"),
            "classification": noise.classification("client.ipAddress"),
            "ip": noise.ip_address("client.ipAddress"),
            }
    return context

Optionally run tests to ensure that your detection is working as expected. See Testing detections that use GreyNoise for more information.
Click Update in the upper right side of the page.

Rule function before and after

Here is the starting content of the rule function:

from panther_base_helpers import deep_get

def rule(event):
    if (event.get("eventType") == "user.session.start"
    and deep_get(event, "outcome", "result") == "FAILURE"):
        return True
    return False

def title(event):
    return f"A Possible Brute Force Attack on Okta Detected from IP {deep_get(event, 'client', 'ipAddress')}"

def severity(event):
    return "MEDIUM"

Here is the content of the rule function after modifying it to use GreyNoise data for enrichment:

from panther_base_helpers import deep_get
from panther_greynoise_helpers import GetGreyNoiseObject

def rule(event):
    global noise
    noise = GetGreyNoiseObject(event)
    if (event.get("eventType") == "user.session.start" and deep_get(event, "outcome", "result") == "FAILURE"):
        return True
    return False

def title(event):
    return f"A Possible Brute Force Attack on Okta Detected from IP {deep_get(event, 'client', 'ipAddress')}"

def severity(event):
    if noise.classification("client.ipAddress") == "malicious":
        return "CRITICAL"
    if noise.classification("client.ipAddress") == "benign":
        return "LOW"
    return "MEDIUM"

def alert_context(event):
    context ={"message": "No GreyNoise Data Available"}
    if noise.classification:
        context = {
            "actor": noise.actor("client.ipAddress"),
            "classification": noise.classification("client.ipAddress"),
            "ip": noise.ip_address("client.ipAddress"),
        }
    return context

This example only uses information from the basic GreyNoise package. With the advanced package enabled, you can also access GreyNoise Tag information, Geo IP Metadata, and flags for VPN and Tor indicators.

Example: Suppress an alert if IP is in GreyNoise RIOT

This example uses the same detection from the previous section. We will modify it to not raise an alert at all if the IP detected is in GreyNoise’s RIOT data set.

In the Panther Console, click Build > Detections in the left sidebar menu.
Click the Okta Brute Force By IP detection.
Click Edit Rule, then click the Functions & Tests tab.
In the Rule Function section, add the following Python command to import Panther GreyNoise helpers and include GreyNoise RIOT objects:
```
from panther_greynoise_helpers import GetGreyNoiseObject, GetGreyNoiseRiotObject
```

In the rule syntax, add the following code to pull from the GreyNoise RIOT data set and modify the alert based on that data:

  def rule(event): 
    global noise
    noise = GetGreyNoiseObject(event)
    riot = GetGreyNoiseRiotObject(event)
    
    if riot.is_riot:
        return False
    if (event.get("eventType") == "user.session.start" 
    and deep_get(event, "outcome", "result") == "FAILURE"):
        return True
    return False

Using this code, if GreyNoise indicates that the IP is in the RIOT data set and therefore used by a common business service that is unlikely to be an attack vector, then it will not deliver an alert at all.

Optionally run tests to ensure that your detection is working as expected. See Testing detections that use GreyNoise for more information.
Click Update in the upper right side of the page.

With the advanced GreyNoise lookup tables, you can also build these rules based on additional enrichment provided, such as the Trust Level of the IP.

PreviousGreyNoise Helper Function Usage and Methods NextIPinfo

Last updated 3 months ago