The rule monitors IP addresses observed in diverse log sources and flags those that GreyNoise V3 identifies as malicious or unknown. It enriches each IP with GreyNoise data (classification, actor, CVEs, tags, metadata) and also notes whether business services or benign IPs are involved, excluding them from alerts. When an IP is classified as malicious or unknown and is not a known benign business asset, the event is considered suspicious. The rule is mapped to MITRE ATT&CK TA0043:T1595.001, reflecting reconnaissance via active scanning behavior. A tested workflow is provided: review the GreyNoise classification URL, review CVEs and tags, query the data lake for all events involving the IP, determine if contact with assets occurred and whether connections succeeded, and, if confirmed malicious with successful interaction, block the IP, isolate affected hosts, and rotate credentials as needed. The rule supports extensive coverage across cloud, SaaS, and network environments by ingesting various log types (e.g., CloudTrail, VPC flow, Cloudflare, Okta, GSuite, and more) and enriching them with GreyNoise data. It includes a deduplication window of 60 minutes to reduce alert fatigue and a set of test vectors to validate behavior (Malicious IP vs. benign vs. unknown vs. no enrichment). The design emphasizes avoiding false positives by excluding known business services and benign IPs while enabling rapid response for confirmed malicious activity. The included runbook guides analysts from enrichment review to containment actions. Reference documentation provided by GreyNoise enhances operational context for triage and remediation.