Edit

GreyNoise Enterprise and GreyNoise Community

  • Article

Important

Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

GreyNoise Enterprise is a cybersecurity platform that collects and analyzes Internet-wide scan and attack data to provide valuable insights into potential threats. GreyNoise integration enables you to use the GreyNoise database to enhance your organization's security posture, identify emerging threats, and prioritize response efforts. You can use either the GreyNoise Enterprise or GreyNoise Community plugin with Copilot for Security to get information about IP addresses, scanning activity, and attacker behaviors.

Set up the GreyNoise plugin

Integration with Copilot for Security works with a GreyNoise account and an API key. Depending on the plan you choose, you might have a limit on how many queries you can run using your API Key.

  1. Get your GreyNoise credentials and API key. If you don't have them yet, follow these steps:

    1. Go to the GreyNoise website and create your account.

      You can start with a free account to obtain a community API Key, or purchase a subscription to obtain an enterprise API Key.

    2. In GreyNoise Visualizer, in the upper right corner, select your name, and then select My API Key.

    3. Copy your API Key.

  2. Sign in to Microsoft Copilot for Security.

  3. Access Manage Plugins by selecting the Plugin button from the prompt bar.

  4. Take one of the following steps:

    • If you purchased a GreyNoise enterprise subscription, turn GreyNoise Enterprise Plugin on.
    • If you're using a free GreyNoise account, turn GreyNoise Community Plugin on.

  5. Select the Settings icon, and in the Value field, paste your API Key, and then select Save.

Use the GreyNoise plugin

After you set up your GreyNoise plugin, you can use it by typing a skill name in your prompt bar in Copilot for Security. For example, you can type LookupIpAddressNoise.

The following table summarizes skills and what they do.

Skill Example prompts What it does
LookupIpAddressNoise
(works with either GreyNoise Enterprise or GreyNoise Community)

Required Input: IP Address (v4 or v6)		 - Tell me about Ip address "118.25.6.39" using the GreyNoise database

- Use the GreyNoise database to provide info on "118.25.6.39"

- What does the GreyNoise database say about the IP address 180.126.219.127?

- I'm curious about any GreyNoise records for the IP address 180.126.219.127. Can you look that up for me?

- Can you provide me with information on any GreyNoise reports for the IP address 180.126.219.127?

- I'd like to know if there are any GreyNoise entries for the IP address 180.126.219.127. Can you check that for me?

- Could you give me an overview of the GreyNoise record for the IP address 180.126.219.127?		 Retrieves noise information about the provided IP address. Returns the following kinds of information:

- IP address classification, such as malicious

- Noise, such as whether the IP address is likely involved in some form of malicious activity

- Riot, such as whether the IP is part of a known benign service or infrastructure

- Name associated with the IP

- Last seen (when the IP was last active)

- Link: A link to visualize the IP's activity on GreyNoise

- Success or error message depending, on whether the lookup was successful
LookupIpContext
(requires GreyNoise Enterprise)

Required Input: IP Address (v4 or v6)		 Find the GreyNoise IP Context for IP 183.221.243.13 Provides context about IPs that GreyNoise observed scanning the internet.

Returns a comprehensive set of information including classification (malicious, benign, etc.), last seen timestamp, associated actors, tags, and metadata.
LookupIpQuick
(requires GreyNoise Enterprise)

Required Input: IP Address (v4 or v6)		 Use GreyNoise to do a quick check of IP 183.221.243.13 Provides a quick way to check if an IP is "noise" or not.

Returns a boolean indicating whether the IP is present in the dataset or not.
LookupMultipleIps
(requires GreyNoise Enterprise)

Required Input: IP Address (v4 or v6)		 Lookup Multiple IPs using GreyNoise 183.221.243.13 and 8.8.8.8 Provides a quick way to check information on multiple IPs.

Returns an array of context information for each IP address, similar to the LookupIpContext endpoint.
LookupIpRiot
(requires GreyNoise Enterprise)

Required Input: IP Address (v4 or v6)		 Use GreyNoise to check the Riot information on IP 183.221.243.13 Provides information about IPs commonly added to allowlists.

Returns a boolean indicating whether the IP is part of the RIOT dataset or not, along with some basic context information if it is.
LookupGNQL
(requires GreyNoise Enterprise)

Required Input: GNQL Query		 Use GreyNoise to check the GNQL information on tags:"RDP Scanner" Allows you to use the GreyNoise Query Language (GNQL) to make complex queries against the GreyNoise dataset.

Returns an array of results that match the GNQL query.

Troubleshoot the GreyNoise plugin

Errors occur

If you encounter errors, such as Couldn't complete your request, or An unknown error occurred, make sure the plugin is turned on. If the issue persists, sign out of Copilot for Security, and then sign back in.

Prompts aren't invoking the correct skills

If prompts aren't invoking the correct skills, or prompts are invoking some other skill set, you might have custom plugins or other plugins that have similar functionality as the skill set you want to use. To prioritize and target GreyNoise, try disabling other custom plugins.

See also

Other plugins for Microsoft Copilot for Security

Manage plugins in Microsoft Copilot for Security