Sales Manager

New GreyNoise integrations enhance detection and response capabilities in Google SecOps. The GreyNoise Team March 10, 2026 GreyNoise is launching a new SIEM and SOAR integration - with improved dashboards, detection rules, playbooks, and webhook support Your SIEM ingests everything. Every port scan, every crawl, every opportunistic spray across the internet. The problem isn't the collection - it's context. Which of those IPs are scanning everyone, and which ones are targeting you? That's the question GreyNoise answers. We observe over over 800,000 unique IPs daily across 5,000+ sensors in 80+ countries, classifying each as malicious, suspicious, benign, or unknown, and tagging them with 3,000+ behavioral descriptors. Traditional threat feeds add more indicators to investigate. GreyNoise removes the ones that don't matter. Today, as a Google Integration partner, we're announcing a new and improved integration with Google SecOps that spans both SIEM and SOAR - delivering standardized indicator ingestion, pre-built dashboards, YARA-L detection rules, saved searches, SOAR response actions, webhook support, and ready-to-deploy playbooks. What's new: SIEM. New ingestion script. The GreyNoise ingestion script now lives in Google's official Chronicle ingestion-scripts repository - a standardized process for importing threat intelligence indicators into your environment. Deployed as a Google Cloud Function, it pulls IP reputation data and GNQL query results from the GreyNoise API and ingests them via the Chronicle Ingestion API. The default configuration focuses on malicious IPs observed in the last 24 hours, but teams can customize the GNQL query to match their threat profile. New dashboards. Two interactive dashboards ship with the integration, ready to import into Google SecOps: Indicator Dashboard - 15+ visualization panels covering classification distribution (Malicious, Suspicious, Benign, Unknown), top 10 rankings for organizations, actors, tags, ASNs, categories, operating systems, and source countries, plus CVE distribution, trend analysis, and business service intelligence. Correlation Dashboard - Shows IOC matches between GreyNoise intelligence and events from your environment, with geolocation mapping, event match trends, classification breakdowns, and top IP indicator rankings. New YARA-L detection rules. Three ready-to-deploy rules that start correlating immediately: * IP Match - Detects events where a source or principal IP matches a malicious or suspicious GreyNoise indicator, correlating over a 1-hour window. * Inbound Network Traffic with ASN Context - High-severity rule monitoring firewall logs for permitted inbound connections from GreyNoise-flagged malicious IPs, enriched with ASN attribution. * Brute Force Attack Detection - High-severity rule flagging 5+ blocked login attempts from GreyNoise-flagged IPs within a 15-minute window. New saved searches. Four pre-built UDM queries for investigation workflows: * IP Risk & Vulnerability Details - Classification, anonymization signals, CVEs, and activity timelines * Indicator Context Summary - Actor attribution, geographic details, organizations, and tags * High Risk Indicators - Filters for MALICIOUS or SUSPICIOUS classifications only * All Indicator Lookup - Browse all ingested GreyNoise indicators for ad-hoc investigation What's new: SOAR. Updated Response Actions (v7.0) The GreyNoise SOAR response integration has been updated to version 7.0 with the full suite of actions: | Action | What It Does | | IP Lookup | Full enrichment - classification, tags, metadata | | Quick IP Lookup | Fast context check on any IP | | IP Timeline Lookup | Historical view of scanning behavior over time | | Execute GNQL Query | Run arbitrary GreyNoise queries within a playbook | | Get CVE Details | Vulnerability context from exploitation activity | | Ping | Validate API connectivity | New webhook support. A major addition: webhook support for ingesting GreyNoise alerts and event feeds directly into Google SecOps SOAR. Three webhook types are now available: * Alert Webhook - Ingests IP, CVE, TAG, and GNQL Query alerts * IP Change Webhook - Tracks classification changes in real time * CVE/Tag Webhook - Monitors CVE spikes, status changes, vendor activity, and tag spikes New SOAR playbooks. Pre-built playbooks ship with the integration, providing ready-made automation workflows that teams can deploy or customize. Combined with the webhook connectors and the Generate Alert from GreyNoise GNQL connector, security teams can build end-to-end automated triage pipelines. How it works together. The SIEM and SOAR components work as a unified pipeline: * 1. Ingest - The SIEM integration continuously pulls GreyNoise indicators into Google SecOps with fresh scanner data. * 2. Detect - YARA-L detection rules flag events that correlate with known scanners. Dashboards provide visual context. * 3. Investigate - Saved searches surface IP risk details, actor attribution, and CVE context without writing queries. * 4. Respond - SOAR playbooks enrich flagged IPs automatically. Mass scanners get deprioritized. Targeted activity escalates for review. Webhooks close the loop by pushing GreyNoise alerts - including classification changes and CVE spikes - directly into SOAR for immediate action. Who has access. This integration is available to any joint Google SecOps customer with a GreyNoise API key. No additional licensing required - just configure and go. Like or share: Get the latest blog articles delivered right to your inbox. Be part of the conversation in our Community Slack group. Follow us and don't miss a thing.

GreyNoise IP Checker Helps Users Detect Botnet Activity on Home networks. Cybersecurity firm GreyNoise has launched a free, web-based tool that helps users determine whether their home internet connection participates in malicious activity. The GreyNoise IP Checker answers a question most users never consider: is my router secretly attacking other devices online? Residential IPs are increasingly exploited. Over the past year, residential IP compromise has surged. GreyNoise reports a rise in residential proxy networks that convert home internet connections into exit points for malicious traffic. Attackers achieve this quietly through: * Malware hidden in browser extensions or deceptive apps * Vulnerabilities in home routers or IoT devices The danger lies in the fact that victims rarely notice the activity. Users' devices appear to function normally - streaming continues, browsing works - but in the background, the network may perform vulnerability scans, brute-force attacks, or other malicious operations. GreyNoise explains: "You're not the target - you're the weapon." How the GreyNoise IP Checker works. The GreyNoise IP Checker is available at check.labs.greynoise.io. It does not require registration or collect personal data. The tool analyzes your current IP address against GreyNoise's vast database of internet "background radiation" - the continuous scans and probes that sweep across the web. After scanning, the tool gives one of three results: * Clean - The IP shows no evidence of scanning or malicious activity. Most residential networks fall into this category. * Malicious/Suspicious - The IP shows scanning or brute-force activity. GreyNoise provides a 90-day timeline, revealing when the activity occurred and the type of behavior (e.g., SSH probing or database targeting). * Common Business Service - The IP belongs to a corporate network, VPN, or data center, which may produce background traffic but typically poses no threat. Benefits for everyday users. GreyNoise promotes this tool as ideal for the "Holiday Tech Support" season. Family members who manage home tech can quickly verify if routers, smart TVs, or other IoT devices participate in suspicious activity. In thirty seconds, users receive: * Clear confirmation of network security status * Evidence of compromise to guide firmware updates or security patches * A faster alternative to guessing about viruses or malware Advanced use for IT administrators. Technical users and IT teams can use the programmatic API. By querying the service with curl, administrators can receive structured JSON data, which allows integration into: * MDM (Mobile Device Management) systems * VPN connection scripts * Automated security routines for devices on untrusted networks These features let IT teams monitor and secure endpoints proactively, helping prevent residential or corporate IPs from participating in botnet activity. Making invisible threats visible. Residential IP compromise remains invisible to most users. GreyNoise's new tool changes that by offering enterprise-level threat intelligence to everyday users. By checking IP reputation, users can identify compromised devices and secure home networks against malicious activity. With the increase of IoT devices and smart home technology, tools like the GreyNoise IP Checker become critical for protecting residential networks from hidden cyber threats. More articles & posts. * KawaiiGPT WormGPT Clone KawaiiGPT: A Free WormGPT Clone Leveraging DeepSeek, Gemini, and Kimi-K2... Read More: KawaiiGPT WormGPT Clone * Microsoft Teams Guest Access Security Microsoft Teams Guest Access Exposes Cross-Tenant Security Gap: How Attackers... Read More: Microsoft Teams Guest Access Security * GreyNoise IP Checker GreyNoise IP Checker Helps Users Detect Botnet Activity on Home... Read More: GreyNoise IP Checker * KawaiiGPT WormGPT Clone November 30, 2025 * Microsoft Teams Guest Access Security November 29, 2025 * GreyNoise IP Checker November 29, 2025

GreyNoise IP Check tool launched to detect botnet activity. GreyNoise Labs has launched a new free tool called GreyNoise IP Check that allows users to determine if their IP address has been observed as part of malicious scanning operations, such as those conducted by botnets and residential proxy networks. Identifying Malicious Network Activity The threat monitoring firm, which tracks internet wide activity via a global sensor network, noted that this problem has grown significantly. Many users are unknowingly participating in malicious online activity. GreyNoise explains that over the past year, residential proxy networks have exploded, turning home internet connections into exit points for other people's traffic. While some individuals knowingly install software for this in exchange for money, it is more often caused by malware that sneaks onto devices, usually via nefarious apps or browser extensions, quietly turning them into nodes in someone else's infrastructure. While traditional methods exist to detect botnet activity, such as examining device logs and network traffic, checking the IP address via a simple web tool is the least intrusive method for the average user. Users visiting the scanner's webpage will receive one of three possible results: * Clean: No malicious scanning activity detected. * Malicious/Suspicious: The IP has shown scanning behavior. Users should investigate devices on their network. * Common Business Service: The IP belongs to a VPN, corporate network, or cloud provider, where scanning activity is normal for those environments. When any activity is correlated with the provided IP address, the platform includes a 90 day historical timeline. This helps pinpoint a potential infection point, such as when the installation of a bandwidth sharing client or a shady application precedes malicious scanning, enabling remediation action. For more technical users, GreyNoise also provides an unauthenticated, rate limit free JSON API accessible via curl. This can be easily integrated into custom scripts or automated checking systems.