Using GreyNoise to Reduce Noisy Alerts in XSOAR

Summary

Robert* is the manager of Cybersecurity Incident Response & Operations at a large hospitality and food service company, managing a team of 4 analysts handling Tier 2+ alerts. Like every other SOC team in the world, Robert and his staff were looking for ways to save time during their investigations, because running every alert from their IDS/IPS was taking forever. The team initially started using GreyNoise with their homegrown incident response tool, to manually filter out alerts that were not targeted attacks - it was “tremendously helpful”. When they made the decision to move to a modern SOAR platform, selecting Cortex XSOAR after a competitive bakeoff, it was a natural next step to bring in GreyNoise to automatically enrich their XSOAR alerts. Today Robert’s team is using GreyNoise to identify and deprioritize alerts generated by “internet background noise”, get better context during investigations, and rule out known legitimate traffic from logs and IP lists so they can focus on the true threats. Their next step is to automate the decision process.

Robert* is the manager of Cybersecurity Incident Response & Operations at a large hospitality and food service company, managing a team of 4 analysts handling Tier 2+ alerts. Like every other SOC team in the world, Robert and his staff were looking for ways to save time during their investigations, because running every alert from their IDS/IPS was taking forever. The team initially started using GreyNoise with their homegrown incident response tool, to manually filter out alerts that were not targeted attacks - it was “tremendously helpful”. When they made the decision to move to a modern SOAR platform, selecting Cortex XSOAR after a competitive bakeoff, it was a natural next step to bring in GreyNoise to automatically enrich their XSOAR alerts. Today Robert’s team is using GreyNoise to identify and deprioritize alerts generated by “internet background noise”, get better context during investigations, and rule out known legitimate traffic from logs and IP lists so they can focus on the true threats. Their next step is to automate the decision process.

Read the transcript