Actions6
- Community Actions
- Enterprise Actions
Overview
This node integrates with the GreyNoise API to provide threat intelligence data about IP addresses and network activity. Specifically, the "RIOT IP Lookup" operation under the "Enterprise" resource identifies IPs belonging to known benign services and organizations that often cause false positives in security monitoring tools. This helps security analysts filter out noise from their alerts and focus on genuine threats.
Common scenarios where this node is beneficial include:
- Enriching security alerts by identifying whether an IP address is likely benign or part of common background noise.
- Reducing false positives in intrusion detection systems by filtering out IPs flagged as RIOT (Recognized Internet Outbound Traffic).
- Automating threat intelligence workflows to quickly classify IP addresses during incident response.
Example use case: A SOC analyst receives multiple alerts triggered by IP addresses scanning their network. Using this node's RIOT IP Lookup, they can automatically check if these IPs are from known benign sources, allowing them to prioritize investigation efforts.
Properties
| Name | Meaning |
|---|---|
| IP | The IP address to query against the GreyNoise Enterprise RIOT database. This is a required string input. |
Output
The node outputs JSON data containing information about the queried IP address from the GreyNoise RIOT dataset. This typically includes details indicating whether the IP is recognized as part of benign services or organizations that commonly generate false positives in security products.
The output JSON structure corresponds directly to the API response from the endpoint /v2/riot/{ip}, which may include fields such as classification, organization, and other metadata relevant to the IP's reputation.
No binary data output is produced by this operation.
Dependencies
- Requires access to the GreyNoise Enterprise API.
- An API authentication token or key credential must be configured in n8n to authorize requests to the GreyNoise API.
- Network connectivity to
https://api.greynoise.iois necessary.
Troubleshooting
Common issues:
- Invalid or missing API credentials will result in authentication errors.
- Querying malformed or invalid IP addresses may cause request failures.
- Network connectivity problems can prevent successful API calls.
Error messages:
- HTTP 401 Unauthorized: Check that the API key credential is correctly set up and valid.
- HTTP 400 Bad Request: Verify that the IP address format is correct.
- HTTP 404 Not Found: The IP address may not exist in the RIOT dataset.
- Timeout or network errors: Ensure stable internet connection and that the GreyNoise API endpoint is reachable.