Monitoring external IP address reputation can be used as an additional measure for detecting compromised (e.g. malware infested) devices inside the network.
Once a device is compromised, it frequently starts scanning the internet, causing the external IP address of the network to get flagged by IP reputation services like GreyNoise (of course, this does not apply to all types of cyber-threats/malware).
Here is a RouterOS script which checks GreyNoise IP Check webservice and sends an e-mail to a predefined recipient if it detects a problem (or if the check fails).
:local recipient "recipient@example.test"
:local routername "$[/system identity get name]"
:local response
:if ( [:onerror e in={
:retry delay=15s max=5 command={
:set response [/tool/fetch mode=https check-certificate=yes url=https://check.labs.greynoise.io/ output=user idle-timeout=15s http-header-field="user-agent:curl/8.18.0" as-value]
}
}] ) do={
/log error "Failed to query GreyNoise IP Check"
/tool e-mail send to="$recipient" subject="Failed to query GreyNoise on $routername" body="Failed to query GreyNoise IP Check on $routername on $[/system clock get date] at $[/system clock get time]."
} else={
if ( ($response->"data") ~ "^\\{\"ip\":\"[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+\",\"status\":\"not_found\",\"classification\":null,\"noise\":false,\"common_business_services\":false,\"trust_level\":null,\"error\":\"ip not found\"\\}\$" ) do={
/log info "External IP is clean according to GreyNoise IP Check"
} else={
/log error "GreyNoise IP Check detected an issue"
/tool e-mail send to="$recipient" subject="GreyNoise on $routername detected an issue" body="GreyNoise IP Check on $routername detected an issue on $[/system clock get date] at $[/system clock get time].\r\n\
Please manually visit https://check.labs.greynoise.io/ from this network to see details!"
}
}
The script needs read and test permissions (policy), fetch and email enabled in device mode, and e-mail sending configured.
To install the script in /system/script (with name GreyNoise-check) and schedule it to run nightly (e.g. between 04:00 and 05:00) commands like these can be used:
/system/script/add name=GreyNoise-check policy=read,test
/system/script/edit GreyNoise-check source
/system/scheduler/add interval=1d name=GreyNoise-check on-event=":delay [:rndnum from=0 to=3599]\n/system script run GreyNoise-check" policy=read,test start-date=2026-04-01 start-time=04:00:00
Comments, suggestions and questions are welcome!
P.S. I am not affiliated with GreyNoise in any way.