Skip to content
Chimera readability score 0.5236 out of 100, reading level.

GreyNoise is launching a new SIEM and SOAR integration — with improved dashboards, detection rules, playbooks, and webhook support
Your SIEM ingests everything. Every port scan, every crawl, every opportunistic spray across the internet. The problem isn't the collection — it's context. Which of those IPs are scanning everyone, and which ones are targeting you?
That's the question GreyNoise answers. We observe over over 800,000 unique IPs daily across 5,000+ sensors in 80+ countries, classifying each as malicious, suspicious, benign, or unknown, and tagging them with 3,000+ behavioral descriptors. Traditional threat feeds add more indicators to investigate. GreyNoise removes the ones that don't matter.
Today, as a Google Integration partner, we're announcing a new and improved integration with Google SecOps that spans both SIEM and SOAR — delivering standardized indicator ingestion, pre-built dashboards, YARA-L detection rules, saved searches, SOAR response actions, webhook support, and ready-to-deploy playbooks.
What's New: SIEM
New Ingestion Script
The GreyNoise ingestion script now lives in Google's official Chronicle ingestion-scripts repository — a standardized process for importing threat intelligence indicators into your environment. Deployed as a Google Cloud Function, it pulls IP reputation data and GNQL query results from the GreyNoise API and ingests them via the Chronicle Ingestion API. The default configuration focuses on malicious IPs observed in the last 24 hours, but teams can customize the GNQL query to match their threat profile.
New Dashboards
Two interactive dashboards ship with the integration, ready to import into Google SecOps:
Indicator Dashboard — 15+ visualization panels covering classification distribution (Malicious, Suspicious, Benign, Unknown), top 10 rankings for organizations, actors, tags, ASNs, categories, operating systems, and source countries, plus CVE distribution, trend analysis, and business service intelligence.
Correlation Dashboard — Shows IOC matches between GreyNoise intelligence and events from your environment, with geolocation mapping, event match trends, classification breakdowns, and top IP indicator rankings.
New YARA-L Detection Rules
Three ready-to-deploy rules that start correlating immediately:
- IP Match — Detects events where a source or principal IP matches a malicious or suspicious GreyNoise indicator, correlating over a 1-hour window.
- Inbound Network Traffic with ASN Context — High-severity rule monitoring firewall logs for permitted inbound connections from GreyNoise-flagged malicious IPs, enriched with ASN attribution.
- Brute Force Attack Detection — High-severity rule flagging 5+ blocked login attempts from GreyNoise-flagged IPs within a 15-minute window.
New Saved Searches
Four pre-built UDM queries for investigation workflows:
- IP Risk & Vulnerability Details — Classification, anonymization signals, CVEs, and activity timelines
- Indicator Context Summary — Actor attribution, geographic details, organizations, and tags
- High Risk Indicators — Filters for MALICIOUS or SUSPICIOUS classifications only
- All Indicator Lookup — Browse all ingested GreyNoise indicators for ad-hoc investigation
What's New: SOAR
Updated Response Actions (v7.0)
The GreyNoise SOAR response integration has been updated to version 7.0 with the full suite of actions:
New Webhook Support
A major addition: webhook support for ingesting GreyNoise alerts and event feeds directly into Google SecOps SOAR. Three webhook types are now available:
- Alert Webhook — Ingests IP, CVE, TAG, and GNQL Query alerts
- IP Change Webhook — Tracks classification changes in real time
- CVE/Tag Webhook — Monitors CVE spikes, status changes, vendor activity, and tag spikes
New SOAR Playbooks
Pre-built playbooks ship with the integration, providing ready-made automation workflows that teams can deploy or customize. Combined with the webhook connectors and the Generate Alert from GreyNoise GNQL connector, security teams can build end-to-end automated triage pipelines.
How It Works Together
The SIEM and SOAR components work as a unified pipeline:
- 1. Ingest — The SIEM integration continuously pulls GreyNoise indicators into Google SecOps with fresh scanner data.
- 2. Detect — YARA-L detection rules flag events that correlate with known scanners. Dashboards provide visual context.
- 3. Investigate — Saved searches surface IP risk details, actor attribution, and CVE context without writing queries.
- 4. Respond — SOAR playbooks enrich flagged IPs automatically. Mass scanners get deprioritized. Targeted activity escalates for review.
Webhooks close the loop by pushing GreyNoise alerts — including classification changes and CVE spikes — directly into SOAR for immediate action.
Who Has Access
This integration is available to any joint Google SecOps customer with a GreyNoise API key. No additional licensing required — just configure and go.
Learn More and Get Started
Ready to bring GreyNoise intelligence into your Google SecOps environment? Learn more here:
- SIEM Integration Guide
- SOAR Integration Guide
- SIEM Resources (Dashboards, Rules, Searches)
- Google Chronicle Ingestion Script

Facts Only

GreyNoise is launching an updated integration with Google SecOps, covering both SIEM and SOAR functionalities.
The integration includes standardized indicator ingestion, dashboards, YARA-L detection rules, saved searches, SOAR response actions, webhook support, and pre-built playbooks.
GreyNoise observes over 800,000 unique IPs daily across 5,000+ sensors in 80+ countries.
The new ingestion script is hosted in Google’s official Chronicle ingestion-scripts repository and deployed as a Google Cloud Function.
Two interactive dashboards are provided: an Indicator Dashboard and a Correlation Dashboard.
Three YARA-L detection rules are included: IP Match, Inbound Network Traffic with ASN Context, and Brute Force Attack Detection.
Four pre-built UDM queries are available for investigation workflows.
The SOAR integration has been updated to version 7.0, featuring webhook support for alerts, IP classification changes, and CVE/Tag monitoring.
Pre-built playbooks are included for automated triage pipelines.
The integration is available to joint Google SecOps and GreyNoise customers with a GreyNoise API key.
No additional licensing is required beyond the API key.
Documentation and resources are provided for setup and deployment.

Executive Summary

GreyNoise has launched an enhanced integration with Google SecOps, combining SIEM and SOAR capabilities to improve threat detection and response. The integration includes standardized ingestion scripts, interactive dashboards, YARA-L detection rules, and pre-built playbooks, all designed to provide context around internet-wide scanning activity. GreyNoise observes over 800,000 unique IPs daily, classifying them as malicious, suspicious, benign, or unknown, and enriching them with behavioral descriptors. The SIEM component features new ingestion scripts hosted in Google’s official repository, dashboards for indicator and correlation analysis, and detection rules for IP matches, inbound traffic, and brute force attacks. The SOAR component introduces webhook support for real-time alerts, updated response actions, and ready-to-deploy playbooks. The unified pipeline allows for continuous ingestion, detection, investigation, and automated response, with webhooks closing the loop by pushing alerts directly into SOAR workflows. The integration is available to joint Google SecOps and GreyNoise customers with an API key, requiring no additional licensing.
The offering addresses a key challenge in cybersecurity: distinguishing between mass scanners targeting the entire internet and focused threats targeting specific organizations. By filtering out benign or irrelevant activity, GreyNoise aims to reduce noise and prioritize actionable threats. The integration leverages Google’s Chronicle platform for ingestion and Google SecOps for orchestration, providing a streamlined workflow for security teams. While the tools are designed to enhance efficiency, their effectiveness will depend on proper configuration and the quality of the underlying threat intelligence.

Full Take

**STEELMAN:** GreyNoise’s integration with Google SecOps presents a compelling solution to a well-documented problem in cybersecurity: the overwhelming volume of noise in threat detection. By leveraging its vast sensor network and behavioral classification system, GreyNoise offers a way to filter out benign or mass-scanning activity, allowing security teams to focus on targeted threats. The integration’s standardized ingestion, pre-built dashboards, and automated playbooks reduce the operational burden on analysts, while webhook support ensures real-time responsiveness. This is a pragmatic approach to improving signal-to-noise ratios in SIEM environments, particularly for organizations drowning in alert fatigue.
**PATTERN SCAN:** The narrative leans heavily on authority and technical credibility, framing GreyNoise as an essential layer of context in an otherwise chaotic threat landscape. While the claims are substantiated by specific features and metrics (e.g., 800,000 IPs daily, 3,000+ behavioral descriptors), the presentation risks oversimplifying the complexities of threat intelligence. The emphasis on "removing indicators that don’t matter" could inadvertently downplay the nuance required in threat analysis—what’s benign in one context may be malicious in another. Additionally, the integration’s reliance on Google’s ecosystem may create a vendor lock-in dynamic, subtly reinforcing the idea that security efficacy is tied to specific platforms.
**ROOT CAUSE:** The underlying paradigm here is the commodification of threat intelligence as a service, where context is the product. GreyNoise’s model assumes that mass internet scanning is largely noise, which is true for many organizations, but it also assumes that its classification system is universally applicable. This reflects a broader industry trend toward automation and outsourcing of judgment calls—efficient, but not without trade-offs in adaptability.
**IMPLICATIONS:** For security teams, this integration could significantly reduce manual triage time, but it also shifts trust to GreyNoise’s classification algorithms. The benefit is clear for resource-constrained teams, but over-reliance on automated filtering might obscure edge cases or novel attack vectors. The second-order effect could be a homogenization of threat detection strategies, where organizations adopt similar playbooks and dashboards, potentially creating blind spots that adversaries could exploit.
**BRIDGE QUESTIONS:**
How does GreyNoise’s classification system handle false positives or negatives, particularly in edge cases where an IP’s behavior changes rapidly?
What safeguards exist to prevent over-reliance on automated filtering, which might miss sophisticated, low-volume threats?
How does this integration account for organizational differences in risk tolerance and threat models?
**COUNTERSTRIKE SCAN:** If this were part of a coordinated influence campaign, the playbook would emphasize the inevitability of automation in cybersecurity, framing manual analysis as outdated and error-prone. The narrative would downplay the limitations of behavioral classification systems while highlighting the efficiency gains, creating a sense of urgency to adopt the solution. However, the actual content does not exhibit this pattern. It presents a balanced view of the tool’s capabilities and constraints, focusing on practical utility rather than fear-based persuasion.
**Patterns detected: none**