greynoise-mcp-server

GreyNoise-Intelligence/greynoise-mcp-server

3.3

If you are the rightful owner of greynoise-mcp-server and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to henry@mcphub.com.

The GreyNoise MCP Server provides comprehensive access to GreyNoise Intelligence data about internet-scanning IP addresses, threat actors, and vulnerabilities.

Tools
5
Resources
0
Prompts
0

MCP Server For GreyNoise

REQUIRES AN ENTERPRISE API KEY

Installation

DXT

If you use Claude Desktop or another client that can import MCP servers via DXT files, just download and double-click on the provided DXT.

For Development

Clone the whole repo and then npm install && npm run build.

For Production/NPX Usage

npx @greynoise/greynoise-mcp-server --help

Note: The bundled version works standalone for stdio transport (default). HTTP transport requires Express to be available.

This is a sample entry for, say, Claude Desktop:

{
  "mcpServers": {
    "greynoise": {
      "command": "npx",
      "args": ["@greynoise/greynoise-mcp-server"],
      "env": {
        "GREYNOISE_API_KEY": "your-greynoise-api-key"
      }
    }
  }
}

Or for local development:

{
  "mcpServers": {
    "greynoise": {
      "command": "node",
      "args": ["/absolute/path/to/greynoise-mcp-server/build/index.js"],
      "env": {
        "GREYNOISE_API_KEY": "your-greynoise-api-key"
      }
    }
  }
}

Build System

This project uses tsup for modern bundling:

  • npm run build: Creates optimized bundle for distribution
  • npm run build:dev: Development build with source maps
  • npm run dev: Watch mode with auto-rebuild
  • npm run build:standalone: Prepares package for NPX distribution

The bundled output includes all core dependencies except Express (for HTTP transport) and dotenv (due to dynamic require limitations).

Testing

The project includes a test script for verifying the GreyNoise API endpoints directly:

Prerequisites

  1. Build the project:

    npm run build

  2. Set your GreyNoise Enterprise API key:

    # For Linux/macOS
export GREYNOISE_API_KEY=your-api-key-here

# For Windows Command Prompt
set GREYNOISE_API_KEY=your-api-key-here

# For Windows PowerShell
$env:GREYNOISE_API_KEY="your-api-key-here"

Running Tests

# Test all API endpoints
node test-tools.js

# Test a specific API endpoint
node test-tools.js ip-context
node test-tools.js quick-check-ip
node test-tools.js multi-ip-check
node test-tools.js riot-lookup
node test-tools.js tag-list
node test-tools.js tag-details
node test-tools.js tag-activity
node test-tools.js trending-tags
node test-tools.js gnql-stats
node test-tools.js cve-details

The test script directly verifies the GreyNoise API endpoints without using the MCP server layer. This helps to:

  1. Confirm your API key works correctly
  2. Verify connectivity to the GreyNoise API
  3. Validate the expected response formats
  4. Troubleshoot specific endpoints independently

Implementation Notes

The test script mimics how the actual MCP tools access the API with some key differences:

  • Tag List & Details: First retrieves all tags via v3/tags and uses client-side filtering for specific tags
  • Tag Activity: Requires the tag ID (not slug), so it first looks up the tag's details before retrieving activity data
  • Trending Tags: Combines data from two endpoints: v3/summary/tags?sort=trending and v3/summary/tags?sort=anomalies
  • Multi-IP Check: Uses a special POST method rather than the standard GET requests

MCP Tools and Prompts

This MCP server provides comprehensive access to GreyNoise Intelligence data about internet-scanning IP addresses, threat actors, and vulnerabilities. It includes tools for IP analysis (detailed context, quick checks, batch processing, and business service lookups), tag exploration, vulnerability tracking, and query capabilities.

Transport Options

stdio (Default)

The bundled version works completely standalone for stdio transport:

npx @greynoise/greynoise-mcp-server --transport stdio

http

HTTP transport requires Express to be available in the environment:

# Ensure Express is available
npm install express
node @greynoise/greynoise-mcp-server --transport http

Available Tools

  1. lookup-ip-context - Get detailed GreyNoise context information about an IP address

  2. quick-check-ip - Get a fast, lightweight check of an IP address to determine if it's scanning the internet or is a common business service (uses v2/noise/quick/{ip})

  3. multi-ip-check - Check multiple IP addresses at once (up to 100) for noise and common business service status (uses v2/noise/multi/quick with POST)

  4. riot-lookup - Check if an IP address belongs to a common business service and get detailed information about the service (uses v2/riot/{ip})

  5. get-tag-list - Retrieve the complete list of GreyNoise tags with metadata including identifiers, descriptions, categories, and intentions

  6. search-tags - Search for GreyNoise tags matching a specific query

  7. get-tag-details - Get comprehensive metadata about a specific GreyNoise tag

  8. get-tag-activity - Get activity data for a specific GreyNoise tag, including trends over time

  9. analyze-tags-activity - Analyze activity patterns across multiple tags to identify correlations and trends

  10. get-trending-vulnerabilities - Get information on vulnerabilities actively being exploited in the wild, as detected by GreyNoise

  11. gnql-stats - Query GreyNoise's database using the GreyNoise Query Language (GNQL) and retrieve statistical data

  12. get-cve-details - Get detailed information about a specific CVE, including GreyNoise observations of exploitation attempts

Usage Examples

IP Analysis Tools
// Quick check for a single IP
{
  "tool_name": "quick-check-ip",
  "parameters": {
    "ip": "8.8.8.8"
  }
}

// Check multiple IPs at once (up to 100)
{
  "tool_name": "multi-ip-check",
  "parameters": {
    "ips": ["8.8.8.8", "1.1.1.1", "205.251.242.103"]
  }
}

// Look up business service information
{
  "tool_name": "riot-lookup",
  "parameters": {
    "ip": "8.8.8.8"
  }
}

// Get detailed context for an IP
{
  "tool_name": "lookup-ip-context",
  "parameters": {
    "ip": "89.248.165.191"
  }
}

// Get tags and filter for a specific one
{
  "tool_name": "get-tag-details",
  "parameters": {
    "id_or_slug": "scanner"
  }
}

// Get tag activity data (by tag ID or by CVE)
{
  "tool_name": "get-tag-activity",
  "parameters": {
    "id_or_slug": "scanner",
    "days": "30"
  }
}

// Get trending vulnerability tags
{
  "tool_name": "get-trending-vulnerabilities",
  "parameters": {}
}

Available Prompts

  1. vendor-threat-report - Generate a comprehensive threat report for a vendor technology

    • Produces a detailed analysis including executive summary, threat actor activity, recent vulnerabilities, attack patterns, mitigation recommendations, and confidence assessment
    • Automatically orchestrates multiple GreyNoise data queries to assemble a complete picture of the threat landscape
    • Parameters: vendor (required), technology (optional), timeframe in days 1-90 (required)

  2. ip-threat-analysis - Generate a detailed analysis of an IP address to determine if it's malicious and associated threats

    • Performs comprehensive threat analysis using GreyNoise data to classify IPs as malicious, benign, or unknown
    • Includes classification, associated tags and activities, geographic/network information, historical activity timeline, threat severity assessment, and recommended actions
    • Parameters: ip (required), include_related true/false (optional)

  3. cve-analysis - Generate a comprehensive analysis of a CVE including exploitation status and risk assessment

    • Provides detailed vulnerability analysis including current exploitation status, trends, affected systems, attack vectors, geographical distribution, and risk scoring
    • Combines CVE details with real-time exploitation data from GreyNoise observations
    • Parameters: cve_id (required), timeframe in days 1-90 (optional, defaults to 30)

  4. emerging-threat-report - Generate a report on emerging threats based on recent activity and trending data

    • Identifies and analyzes new and trending threats, attack vectors, vulnerability exploitations, and geographical threat distribution
    • Includes predictions of near-future threats and strategic recommendations
    • Parameters: days (optional: 1, 7, or 30, defaults to 7), focus_area (optional, e.g., 'ransomware', 'IoT', 'healthcare')

  5. security-posture-assessment - Generate a security posture assessment for an organization based on technologies and vulnerabilities

    • Provides comprehensive security assessment tailored to an organization's technology stack and industry
    • Includes vulnerability analysis for key technologies, exposure assessment, attack surface analysis, risk scoring by component, and prioritized security recommendations
    • Parameters: organization (required), technologies as comma-separated list (required), industry (optional)

  6. threat-hunting - Generate a threat hunting plan based on specific indicators or patterns

    • Creates detailed hunting plans for different indicator types including IPs, tags, behaviors, actors, or CVEs
    • Provides detection methods, data sources, search patterns, timeline, evidence collection methods, and response procedures
    • Parameters: indicator_type (required: 'ip', 'tag', 'behavior', 'actor', or 'cve'), indicator_value (required), environment description (required)