For AI agents: visit https://docs.greynoise.io/llms.txt for an index of all pages formatted in Markdown and endpoints in OpenAPI.
- Notice a spike in the time series chart on the Sessions or Graph tab
- Highlight the spike — the time range will zoom to that window
- Switch to Graph view with Field:
Src country or Field: Source IP to see what drove the spike
- Drill into a specific source IP by clicking its value to append it to the query
- Expand a session from that IP to view packet details and payloads
- Enter the query: http.uri:/global-protect/login.esp in the query bar
- Hit Search
- Use Graph view with Field:
Src country to see where these probes are coming from
- Expand individual sessions to see the full HTTP request in the Payloads tab
- Enter:
source.ip:<the IP address>
- Review the Classification field to see if GreyNoise has tagged this IP as benign, malicious, suspicious, or unknown
- Check the GN Tags section in the Overview tab for specific behavior tags
- Use the Packets tab to review the exact sequence of frames
