GreyNoise Threat Intelligence (using Azure Functions) connector for Microsoft Sentinel
This Data Connector installs an Azure Function app to download GreyNoise indicators once per day and inserts them into the ThreatIntelligenceIndicator table in Microsoft Sentinel.
This is autogenerated content. For changes, contact the solution provider.
Connector attributes
| Connector attribute | Description |
|---|---|
| Log Analytics table(s) | ThreatIntelligenceIndicator |
| Data collection rules support | Not currently supported |
| Supported by | GreyNoise |
Query samples
All Threat Intelligence APIs Indicators
ThreatIntelligenceIndicator
| where SourceSystem == 'GreyNoise'
| sort by TimeGenerated desc
Prerequisites
To integrate with GreyNoise Threat Intelligence (using Azure Functions) make sure you have:
- Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. See the documentation to learn more about Azure Functions.
- GreyNoise API Key: Retrieve your GreyNoise API Key here.
Vendor installation instructions
You can connect GreyNoise Threat Intelligence to Microsoft Sentinel by following the below steps:
The following steps create a Microsoft Entra ID application, retrieves a GreyNoise API key, and saves the values in an Azure Function App Configuration.
- Retrieve your API Key from GreyNoise Visualizer.
Generate an API key from GreyNoise Visualizer https://docs.greynoise.io/docs/using-the-greynoise-api
- In your Microsoft Entra ID tenant, create an Microsoft Entra ID application and acquire Tenant ID and Client ID. Also, get the Log Analytics Workspace ID associated with your Microsoft Sentinel instance (it should display below).
Follow the instructions here to create your Microsoft Entra ID app and save your Client ID and Tenant ID: /azure/sentinel/connect-threat-intelligence-upload-api#instructions NOTE: Wait until step 5 to generate your client secret.
- Assign the Microsoft Entra ID application the Microsoft Sentinel Contributor Role.
Follow the instructions here to add the Microsoft Sentinel Contributor Role: /azure/sentinel/connect-threat-intelligence-upload-api#assign-a-role-to-the-application
- Specify the Microsoft Entra ID permissions to enable MS Graph API access to the upload-indicators API.
Follow this section here to add 'ThreatIndicators.ReadWrite.OwnedBy' permission to the Microsoft Entra ID App: /azure/sentinel/connect-threat-intelligence-tip#specify-the-permissions-required-by-the-application. Back in your Microsoft Entra ID App, ensure you grant admin consent for the permissions you just added. Finally, in the 'Tokens and APIs' section, generate a client secret and save it. You will need it in Step 6.
- Deploy the Threat Intelligence (Preview) Solution, which includes the Threat Intelligence Upload Indicators API (Preview)
See Microsoft Sentinel Content Hub for this Solution, and install it in the Microsoft Sentinel instance.
- Deploy the Azure Function
Click the Deploy to Azure button.
Fill in the appropriate values for each parameter. Be aware that the only valid values for the GREYNOISE_CLASSIFICATIONS parameter are benign, malicious and/or unknown, which must be comma-separated.
- Send indicators to Sentinel
The function app installed in Step 6 queries the GreyNoise GNQL API once per day, and submits each indicator found in STIX 2.1 format to the Microsoft Upload Threat Intelligence Indicators API. Each indicator expires in ~24 hours from creation unless found on the next day's query. In this case the TI Indicator's Valid Until time is extended for another 24 hours, which keeps it active in Microsoft Sentinel.
For more information on the GreyNoise API and the GreyNoise Query Language (GNQL), click here.
Next steps
For more information, go to the related solution in the Azure Marketplace.