GreyNoise
Guides
Start typing to search…

Recall - GNQL Over Time

What is it?

Recall is a time-series capability for GNQL that enables you to query GreyNoise data over a specific historical time range, rather than just the current 90-day aggregated view provided by standard GNQL results.

With Recall, you can answer questions like:

  • “What did GreyNoise observe for this IP last week vs. last month?”
  • “When did a certain tag/behavior show up?”
  • “How did the volume of matching IPs change over time for a GNQL query?”

Who is it for?

Recall is for teams who want to do historical analysis or build trend-based workflows, including:

  • SOC / Threat Intel teams doing investigation and needing historical context (e.g., “was this IP active during the incident window?”)
  • Detection engineering teams tracking how scanning/exploitation behavior evolves over time
  • Security data/platform teams building dashboards, enrichment pipelines, or alerting logic based on changes over time (not just “what’s true now”)

Who has access?

  • The Recall APIs are currently available for any users with a Platform (Standard / Advanced / Elite) license
  • The Platform license entitlements define the Recall API data reached:
    • Standard Platform: 10 Day Lookup
    • Advanced Platform: 30 Day Lookup
    • Elite Platform: 90 Day Lookup
  • Data fields and query terms are determined by the Internet Scanner Intelligence Module (Triage / Investigate / Hunt)

How does it work?

Recall provides two endpoints:

1) Recall Data API

Endpoint: /v3/gnql/timeseries

Use this when you want to retrieve the actual hourly records for the IPs that match your GNQL query.

You provide:

  • query (required): the GNQL query to run
  • start (required): start of the time range
  • end (required): end of the time range
  • limit (optional): how many IPs (total) to return
  • offset (optional): pagination

You get back:

  • A JSON object keyed by hour (yyyy-mm-dd-hh)
  • Each hour contains a list of records with:
    • ip
    • internet_scanner_intelligence (the GreyNoise context for that IP at that hour)

Example request

curl --location'https://api.greynoise.io/v3/gnql/timeseries?query=ip%3A212.18.104.107&start=2025-09-08T06%3A00%3A00Z&end=2025-10-23T12%3A00%3A00Z' \
  --header'key: <key>'

2) Recall Stats API

Endpoint: /v3/gnql/timeseries/stats

Use this when you want a trend line rather than full records. For example, “how many unique IPs matched this query per hour/day?”

You provide:

  • query (required)
  • start (required)
  • end (required)
  • interval (required): hour or day

You get back:

  • count: unique IPs across the entire time range
  • min / max: minimum and maximum bucket counts
  • data: a list of { date, count } for each hour/day bucket

Example request

curl --location'https://api.greynoise.io/v3/gnql/timeseries/stats?query=tags%3A*Scanner*&start=2025-08-08T06%3A00%3A00Z&end=2025-10-12T23%3A00%3A00Z&interval=day' \
  --header'key: <key>'

Important note on GNQL syntax

Recall accepts a stricter subset of GNQL than the standard GNQL endpoint. This is intentional to avoid queries that behave differently than customers expect (especially around quoted strings + wildcards).

For example:

  • tags:*"Palo Alto"*
  • tags:*Palo\ Alto*

Updated about 10 hours ago