GreyNoise MCP server
Classify internet noise, enrich IPs, and track CVE exploitation activity.
About
Connect Tracecat to GreyNoise to separate targeted activity from background internet scanning noise for SOC analysts triaging firewall and IDS alerts. You can run a quick IP check or batch-check up to 100 addresses to drop opportunistic scanners early. From there, enrich the survivors with full context, pivot on tags and ASNs, and ground CVE response in real exploitation telemetry with confidence.
Setup
- 1
Create an API key
The GreyNoise MCP server uses an Enterprise API key. The key is read from the `GREYNOISE_API_KEY` environment variable on the host running the server, or stored in the OS keychain when installed as a Claude Desktop MCPB extension.
- 2
Select the
GreyNoisetile in the Tracecat MCP catalogOpen the
MCP catalogin your workspace, select theGreyNoisetile, and paste your API key. - 3
Enable
GreyNoisein your agentIn your
ai.agentaction orAgents→toolstab, selectGreyNoisefrom theMCP integrationsdropdown.
Tools
lookup-ip-context | Full IP reputation, tags, ASN, and first/last seen context for a single address. |
quick-check-ip | Fast noise versus legitimate service classification for a single IP. |
multi-ip-check | Batch noise check for up to 100 IPs at once. |
riot-lookup | Identify common business services (Microsoft, Google, CDNs) tied to an IP. |
get-tag-list | Enumerate every GreyNoise tag, including malicious scanners and benign crawlers. |
get-tag-details | Fetch description, intention, and references for a specific tag. |
get-tag-activity | Trend data on how many IPs are currently scanning under a tag. |
get-trending-vulnerabilities | List CVEs with active in-the-wild exploitation observed by GreyNoise sensors. |
gnql-stats | Run a GreyNoise Query Language statistical query across the sensor network. |
get-cve-details | Pull exploitation timeline, scanner counts, and tag references for a CVE. |