GreyNoise MCP server
Classify internet noise, enrich IPs, and track CVE exploitation activity.
About
Connect Tracecat to GreyNoise to separate targeted activity from background internet scanning noise for SOC analysts triaging firewall and IDS alerts. You can run a quick IP check or batch-check up to 100 addresses to drop opportunistic scanners early. From there, enrich the survivors with full context, pivot on tags and ASNs, and ground CVE response in real exploitation telemetry with confidence.
Setup
- 1
Create an API key
The GreyNoise MCP server uses an Enterprise API key. The key is read from the `GREYNOISE_API_KEY` environment variable on the host running the server, or stored in the OS keychain when installed as a Claude Desktop MCPB extension.
- 2
Select the
GreyNoisetile in the Tracecat MCP catalogOpen the
MCP catalogin your workspace, select theGreyNoisetile, and paste your API key. - 3
Enable
GreyNoisein your agentIn your
ai.agentaction orAgents→toolstab, selectGreyNoisefrom theMCP integrationsdropdown.
Tools
lookup-ip-contextFull IP reputation, tags, ASN, and first/last seen context for a single address.
quick-check-ipFast noise versus legitimate service classification for a single IP.
multi-ip-checkBatch noise check for up to 100 IPs at once.
riot-lookupIdentify common business services (Microsoft, Google, CDNs) tied to an IP.
get-tag-listEnumerate every GreyNoise tag, including malicious scanners and benign crawlers.
get-tag-detailsFetch description, intention, and references for a specific tag.
get-tag-activityTrend data on how many IPs are currently scanning under a tag.
get-trending-vulnerabilitiesList CVEs with active in-the-wild exploitation observed by GreyNoise sensors.
gnql-statsRun a GreyNoise Query Language statistical query across the sensor network.
get-cve-detailsPull exploitation timeline, scanner counts, and tag references for a CVE.