Skip to content

[New Rule] GreyNoise IP Address IOC Correlation #4839

New issue
New issue
Open
Open
[New Rule] GreyNoise IP Address IOC Correlation#4839
Labels
Rule: NewProposal for new ruleTeam: TRADEcommunity
@niraj-crest

Description

@niraj-crest
niraj-crest
opened on Jun 20, 2025

Description

This rule aims to correlate IP addresses found in event data with GreyNoise threat intelligence indicators to identify potentially malicious or suspicious activity. The rule avoids matching against GreyNoise’s own logs (event.module: "ti_greynoise") to ensure external observations are flagged.

Rule Configuration

Source Custom Query

NOT event.module : "ti_greynoise"

Indicator Index Patterns

logs-ti_greynoise_latet.ip*

Indicator Index Query

@timestamp >= "now-7d/d"

Indicator Mapping

Field Indicator index field
source.ip threat.indicator.ip
destination.ip threat.indicator.ip

Required Fields

threat.indicator.ip

Indicator Prefix Override

greynoise.ip

Related Integration

GreyNoise

Tags

[
  "IP Address IOC",
  "Elastic",
  "Threat Intelligence",
  "GreyNoise"
]

Target Ruleset

threat_intel

Target Rule Type

Indicator Match

Tested ECS Version

8.17.0

Query

No response

New fields required in ECS/data sources for this rule?

No response

Related issues or PRs

No response

References

No response

Redacted Example Data

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Rule: NewProposal for new ruleTeam: TRADEcommunity

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions