Every SOC analyst knows the feeling: another morning, another queue of hundreds of alerts, and the gnawing question of which ones actually matter. The volume of internet background noise — automated scanners, research probes, vulnerability crawlers — hasn’t slowed down. If anything, it’s accelerating. And as adversaries adopt AI to move faster, the cost of chasing the wrong signals isn’t just frustrating — it’s dangerous.
That’s the problem GreyNoise was built to address. We operate one of the largest passive sensor networks on the internet — more than 5,000 sensors across 80 countries, analyzing up to one billion sessions per day and tracking over 50 million IPs. That scale lets us classify internet-wide scanning and reconnaissance activity with confidence: which IPs are known benign scanners, which are actively malicious, and which are unknown — meaning we haven’t observed them scanning the internet indiscriminately.
That classification data is now available across the CrowdStrike Falcon platform — in Next-Gen SIEM, Falcon Fusion SOAR, and the agentic workflows that are defining the next era of security operations.
GreyNoise Intelligence Across CrowdStrike Falcon
For teams running Falcon, GreyNoise intelligence is operationalized across three integrated capabilities — inline investigation context in Next-Gen SIEM, automated enrichment and response in Falcon Fusion SOAR, and agentic collaboration through Charlotte AI.
Falcon Next-Gen SIEM: GreyNoise Classification Inside Your Existing Queries
The GreyNoise Foundry App — available directly on the CrowdStrike Marketplace — is the operational core of the integration. Once installed, it automatically imports a fresh GreyNoise indicator lookup file into Next-Gen SIEM every day. No manual feed management. No stale data.
That lookup file contains GreyNoise’s full dataset of classified IPs — benign scanners, malicious actors, CVE-targeting sources, and tagged threat infrastructure. Inside Next-Gen SIEM, analysts use the match() function to incorporate that data directly into their searches and analytics. GreyNoise classification columns — classification, observed activity, exploited CVEs — surface right alongside event data in the query view, with no pivot to an external tool required.
Detections tied to IPs that GreyNoise has identified as active exploit sources or malicious infrastructure stand out. Teams can build correlation rules and dashboards that weight GreyNoise-validated threats higher. And IPs that GreyNoise has classified as benign — known research scanners, internet measurement services, well-documented security vendors — carry that context right in the query results, giving analysts the information they need to make confident triage decisions.
The Foundry App ships with a pre-built app template containing GreyNoise threat intelligence actions, ready to deploy in Foundry and extend into Fusion SOAR workflows.
Falcon Fusion SOAR: Automated Enrichment and Response
Knowing an IP is malicious is useful. Acting on that intelligence automatically is where the efficiency gain lives.
The GreyNoise Foundry App includes a native Falcon Fusion SOAR integration that puts GreyNoise enrichment directly into workflow logic. Security teams can build — or extend — automated playbooks that take action based on GreyNoise IP context:
- Alert on malicious IPs — trigger high-priority notifications when GreyNoise identifies adversary activity at the perimeter
- Prioritize vulnerability response — surface CVE exploitation data to inform which vulnerabilities need immediate patching attention
- Initiate threat hunts — automatically kick off hunt workflows when GreyNoise identifies coordinated scanning tied to known threat infrastructure
- Automate blocking or containment — close the loop on confirmed malicious IPs
GreyNoise’s benign classification is particularly valuable here. Because GreyNoise classifies known-good IPs — security researchers, CDN health checks, legitimate vulnerability scanners — SOAR workflows have a higher-confidence basis for automated routing decisions. That confidence is grounded in what our sensor network directly observes, not aggregated from third-party sources.
Charlotte AI: GreyNoise as a Trusted Ecosystem Participant
CrowdStrike’s blog on building an agentic security workforce names GreyNoise among the trusted ecosystem participants supported in Charlotte AI’s Agentic Response Collaboration capability — alongside Corelight, ExtraHop, Proofpoint, Google, Abnormal AI, and Zscaler. These integrations provide what CrowdStrike describes as “deep cross-domain context to drive faster, more accurate analysis.”
Charlotte AI’s use of ecosystem data is still maturing, and we’ll share more as it develops. But the direction is clear: as agentic workflows become a core part of how SOC investigations run, GreyNoise intelligence can be part of the reasoning loop.
Here’s what that looks like in practice. An alert fires on a suspicious external IP. Charlotte AI’s Detection Triage Agent is working the case. As part of its investigation, GreyNoise context is available: Is this IP part of a known mass scanner campaign? Has it been observed exploiting the specific vulnerability that generated the alert? Is it tied to active threat infrastructure? That intelligence informs the agent’s triage decision — contributing internet-wide scanning context to a process that already draws from endpoint, identity, and cloud telemetry.
Charlotte AI’s agentic response can trigger workflows in Falcon Fusion SOAR, which means GreyNoise intelligence already available in your SOAR playbooks carries naturally into AI-driven triage. CrowdStrike’s mission-ready agents — covering detection triage, malware analysis, exposure prioritization, and threat hunting — are trained on years of expert decisions from Falcon Complete analysts. GreyNoise’s classification data adds internet-wide reconnaissance context to those workflows.
What Falcon Users Get
GreyNoise intelligence across the Falcon platform produces three specific outcomes:
- Higher-confidence triage — GreyNoise classification gives analysts a clear signal on which external IPs are known internet scanners and which warrant deeper investigation
- Contextualized alerts — every IP-based detection carries GreyNoise behavior, classification, and CVE context from the moment it fires
- Faster investigation and response — inline enrichment and automated SOAR workflows compress the time from alert to action
- Prioritized vulnerability response — CVE exploitation intelligence from GreyNoise’s sensor network informs which vulnerabilities are being actively targeted right now
Getting Started
The GreyNoise Foundry App is available on the CrowdStrike Marketplace for Falcon Next-Gen SIEM and Falcon Insight XDR customers. Installation takes minutes, and the daily automated indicator import requires no ongoing maintenance.
→ Install the GreyNoise Foundry App on the CrowdStrike Marketplace
.png)
.png)
