Knogin
[Developers]

OSINT Intelligence: GreyNoise Internet Noise Reduction

Any internet-facing system receives a constant barrage of automated probes: vulnerability scanners, search engine crawlers, botnet check-ins, research platforms, and opportunistic exploit attempts that hit every reachabl

Back to All Modules
Category: IntelligenceLast Updated: Mar 18, 2026
intelligence

Overview#

Any internet-facing system receives a constant barrage of automated probes: vulnerability scanners, search engine crawlers, botnet check-ins, research platforms, and opportunistic exploit attempts that hit every reachable IP indiscriminately. For a SOC analyst, this background noise is a serious problem. When Shodan, Censys, and mass-scanning botnets generate thousands of IDS alerts per day, the actually targeted activity gets buried. GreyNoise solves this by cataloguing the noise. The platform continuously observes which IP addresses are conducting mass internet scanning and tags them, so analysts know whether a probe originated from a known background scanner or from something that specifically chose their system.

Argus integrates GreyNoise to filter known benign scanners out of IDS alert queues and to classify unknown sources of probing activity as noise or targeted threat.

Key Features#

IP Noise Classification#

Query GreyNoise via queryGreynoise and persist the returned record, including classification, noise/RIOT flags, actor attribution when present, tags, and last seen date. This gives analysts a durable GreyNoise context record inside Argus rather than a transient external lookup.

Tag-Based Context#

GreyNoise tags identify the nature of the scanning activity: scanner, exploit, worm, botnet, brute-force, tor-exit, vpn, cdn, and others. These tags surface directly on Argus records, allowing analysts to immediately understand why a source IP appeared in Suricata alerts or network logs without running a separate enrichment step.

Suricata Alert Noise Reduction#

Cross-referencing Suricata alert source IPs against GreyNoise classifications automatically identifies alerts from known mass scanners, allowing SOC teams to suppress known-noise alerts and focus analyst time on unknown or malicious sources. The combination of Suricata and GreyNoise dramatically reduces false positive volume in high-traffic monitoring environments, typically cutting daily triage load by 30 to 60 percent.

Clearance-Filtered Records#

In intelligence environments, GreyNoise data enriched with classified network context carries secrecy_level tags restricting access to cleared personnel.

Use Cases#

  • Alert Triage Acceleration: Automatically mark Suricata alerts from GreyNoise-classified benign scanners as low priority, reducing daily triage volume by 30-60% in internet-facing environments.
  • Targeted Attack Identification: IPs that appear in IDS alerts but are not in GreyNoise (unknown background noise) warrant immediate investigation, as they are more likely to represent targeted activity.
  • IOC Vetting: Before publishing an IP indicator to a MISP feed, verify it is not a known legitimate scanner. GreyNoise prevents false positives from polluting shared threat intelligence feeds.
  • Botnet Mapping: GreyNoise's botnet tracking tags can seed MISP events identifying active botnet C2 infrastructure, contributing to community-level threat intelligence.

Integration#

Available via GraphQL: greynoiseRecords, greynoiseStats (queries); queryGreynoise (mutation). All operations require authentication and organisation scoping.

Compatible with GreyNoise Enterprise API v3. Works alongside Shodan (exposure detail), Suricata (alert enrichment), MISP (IOC vetting before community sharing), and SpiderFoot (comprehensive OSINT pipelines). GreyNoise records feed into OpenCTI for structured threat intelligence management and connect to the broader Argus provider orchestration layer, which covers 153 third-party integrations.

Open Standards#

  • GraphQL (June 2018 specification): all GreyNoise intelligence operations, greynoiseRecords, greynoiseStats queries and the queryGreynoise mutation, are exposed exclusively through the Argus GraphQL API, with strongly typed schemas enforcing organisation-scoped access control.
  • JSON (RFC 8259): the GreyNoise API returns IP context payloads as JSON, which the integration client parses directly; all persisted records and API responses are serialised in JSON throughout the pipeline.
  • OAuth 2.0 Bearer Token (RFC 6750): the GreyNoise API client authenticates every outbound request using an Authorization: Bearer header, and all inbound Argus API calls require an authenticated session enforced via IsAuthenticated permission classes.
  • Suricata EVE JSON: Suricata IDS alert batches are ingested via the ingestSuricataEve mutation in EVE JSON log format; GreyNoise classifications are then applied to source IPs in those alerts to suppress known-noise entries and surface targeted activity.
  • MISP Core Format: GreyNoise-vetted indicators are exported to MISP instances as structured threat intelligence events, and the IOC vetting workflow checks each IP against GreyNoise before an indicator is published to any community MISP feed.
  • STIX 2.1 (OASIS): enriched GreyNoise records are emitted as operational THREAT entities through the shared interoperability bridge, which serialises outbound intelligence to STIX 2.1 Indicator and Report SDOs for consumption by OpenCTI and other STIX-aware platforms.

Last Reviewed: 2026-03-18 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.