Common Workflows
Investigating a Traffic Spike
- Notice a spike in the time series chart on the Sessions or Graph tab
- Highlight the spike — the time range will zoom to that window
- Switch to Graph view with Field:
Src countryor Field:Source IPto see what drove the spike - Drill into a specific source IP by clicking its value to append it to the query
- Expand a session from that IP to view packet details and payloads
Finding PAN-OS / GlobalProtect Scanning
- Enter the query: http.uri:/global-protect/login.esp in the query bar
- Hit Search
- Use Graph view with Field:
Src countryto see where these probes are coming from - Expand individual sessions to see the full HTTP request in the Payloads tab
Analyzing Traffic from a Specific IP
- Enter:
source.ip:<the IP address> - Review the Classification field to see if GreyNoise has tagged this IP as benign, malicious, suspicious, or unknown
- Check the GN Tags section in the Overview tab for specific behavior tags
- Use the Packets tab to review the exact sequence of frames
Updated about 4 hours ago