GreyNoise Threat Intelligence (using Azure Functions) connector for Microsoft Sentinel

This Data Connector installs an Azure Function app to download GreyNoise indicators once per day and inserts them into the ThreatIntelligenceIndicator table in Microsoft Sentinel.

This is autogenerated content. For changes, contact the solution provider.

Connector attributes

Connector attribute Description
Log Analytics table(s) ThreatIntelligenceIndicator
Data collection rules support Not currently supported
Supported by GreyNoise

Query samples

All Threat Intelligence APIs Indicators

ThreatIntelligenceIndicator 
| where SourceSystem == 'GreyNoise'
| sort by TimeGenerated desc

Prerequisites

To integrate with GreyNoise Threat Intelligence (using Azure Functions) make sure you have:

Vendor installation instructions

You can connect GreyNoise Threat Intelligence to Microsoft Sentinel by following the below steps:

The following steps create a Microsoft Entra ID application, retrieves a GreyNoise API key, and saves the values in an Azure Function App Configuration.

  1. Retrieve your API Key from GreyNoise Visualizer.

Generate an API key from GreyNoise Visualizer https://docs.greynoise.io/docs/using-the-greynoise-api

  1. In your Microsoft Entra ID tenant, create an Microsoft Entra ID application and acquire Tenant ID and Client ID. Also, get the Log Analytics Workspace ID associated with your Microsoft Sentinel instance (it should display below).

Follow the instructions here to create your Microsoft Entra ID app and save your Client ID and Tenant ID: /azure/sentinel/connect-threat-intelligence-upload-api#instructions NOTE: Wait until step 5 to generate your client secret.

  1. Assign the Microsoft Entra ID application the Microsoft Sentinel Contributor Role.

Follow the instructions here to add the Microsoft Sentinel Contributor Role: /azure/sentinel/connect-threat-intelligence-upload-api#assign-a-role-to-the-application

  1. Specify the Microsoft Entra ID permissions to enable MS Graph API access to the upload-indicators API.

Follow this section here to add 'ThreatIndicators.ReadWrite.OwnedBy' permission to the Microsoft Entra ID App: /azure/sentinel/connect-threat-intelligence-tip#specify-the-permissions-required-by-the-application. Back in your Microsoft Entra ID App, ensure you grant admin consent for the permissions you just added. Finally, in the 'Tokens and APIs' section, generate a client secret and save it. You will need it in Step 6.

  1. Deploy the Threat Intelligence (Preview) Solution, which includes the Threat Intelligence Upload Indicators API (Preview)

See Microsoft Sentinel Content Hub for this Solution, and install it in the Microsoft Sentinel instance.

  1. Deploy the Azure Function

Click the Deploy to Azure button.

Deploy To Azure

Fill in the appropriate values for each parameter. Be aware that the only valid values for the GREYNOISE_CLASSIFICATIONS parameter are benign, malicious and/or unknown, which must be comma-separated.

  1. Send indicators to Sentinel

The function app installed in Step 6 queries the GreyNoise GNQL API once per day, and submits each indicator found in STIX 2.1 format to the Microsoft Upload Threat Intelligence Indicators API. Each indicator expires in ~24 hours from creation unless found on the next day's query. In this case the TI Indicator's Valid Until time is extended for another 24 hours, which keeps it active in Microsoft Sentinel.

For more information on the GreyNoise API and the GreyNoise Query Language (GNQL), click here.

Next steps

For more information, go to the related solution in the Azure Marketplace.