# GreyNoise Documentation > Documentation for GreyNoise ## Guides - [Getting Started with GreyNoise](https://docs.greynoise.io/docs/getting-started.md): This page will help you get started with GreyNoise - [Setting up an Account](https://docs.greynoise.io/docs/setting-up-an-account.md): This Guide provides step-by-step instructions for creating a GreyNoise account and navigating the account settings. - [Using the GreyNoise Visualizer](https://docs.greynoise.io/docs/using-the-greynoise-visualizer.md): This Guide explains how to use the different features and components of the GreyNoise Visualizer. - [Using the GreyNoise Community API](https://docs.greynoise.io/docs/using-the-greynoise-community-api.md) - [Using the GreyNoise v3 API](https://docs.greynoise.io/docs/using-the-greynoise-api.md): This document is updated to match recommendations based on the v3 GreyNoise API. - [Using the GreyNoise Query Language (GNQL)](https://docs.greynoise.io/docs/using-the-greynoise-query-language-gnql.md) - [Using GreyNoise as an Indicator Feed](https://docs.greynoise.io/docs/using-greynoise-as-an-indicator-feed.md) - [Alerts](https://docs.greynoise.io/docs/feature-alerts.md) - [C2 Detection ](https://docs.greynoise.io/docs/c2-detection.md) - [C2 Detection - Use Cases and Workflows](https://docs.greynoise.io/docs/c2-detection-use-cases-and-workflows.md) - [C2 Detection - Video Overview](https://docs.greynoise.io/docs/c2-detection-video-overview.md) - [Event Feeds](https://docs.greynoise.io/docs/event-feeds.md) - [IP Timeline](https://docs.greynoise.io/docs/greynoise-ip-timeline.md) - [MCP Server](https://docs.greynoise.io/docs/mcp-server.md): Integrate GreyNoise threat intelligence directly into your AI workflow. The GreyNoise MCP Server exposes tools for IP reputation, RIOT/business-service checks, tag and vulnerability intelligence, GNQL stats, and more—so your agent can answer “is this noise or targeted?”, enrich investigations, and summarize activity without leaving your environment. - [MCP Server Security](https://docs.greynoise.io/docs/mcp-server-security.md) - [Query-Based Blocklists](https://docs.greynoise.io/docs/query-based-blocklists.md) - [Configure Palo Alto Networks EDL with GreyNoise Blocklists](https://docs.greynoise.io/docs/configure-palo-alto-networks-edl-with-greynoise-blocklists.md): GreyNoise Blocklists can be leveraged in many edge platforms for fast, reliable and continuously up-to-date blocking efforts. This document outlines how to create a GreyNoise Blocklist and implement it in Palo Alto Networks PAN-OS. - [Recall - GNQL Over Time](https://docs.greynoise.io/docs/recall.md) - [Tag Trends](https://docs.greynoise.io/docs/greynoise-tag-trends.md) - [Tag Trends - Trending](https://docs.greynoise.io/docs/greynoise-tag-trends-trending.md) - [Tag Trends - Anomalies](https://docs.greynoise.io/docs/greynoise-tag-trends-anomalies.md) - [Tag Trends - Most Active](https://docs.greynoise.io/docs/greynoise-tag-trends-most-active.md) - [Tag Trends - Most Recent](https://docs.greynoise.io/docs/greynoise-tag-trends-most-recent.md) - [Trends](https://docs.greynoise.io/docs/greynoise-trends.md) - [Firewall Blocking with GreyNoise Trends](https://docs.greynoise.io/docs/firewall-blocking-with-greynoise-trends.md) - [Vulnerability Prioritization Overview](https://docs.greynoise.io/docs/vulnerability-prioritization-overview.md) - [Vulnerability Prioritization FAQ](https://docs.greynoise.io/docs/vulnerability-prioritization-faq.md) - [Understanding GreyNoise Datasets](https://docs.greynoise.io/docs/understanding-greynoise-data-sets.md) - [Understanding GreyNoise Classifications](https://docs.greynoise.io/docs/understanding-greynoise-classifications.md) - [Understanding GreyNoise Enrichments](https://docs.greynoise.io/docs/understanding-greynoise-enrichments.md) - [Tags](https://docs.greynoise.io/docs/greynoise-tags.md) - [Understanding Business Services Intelligence (formerly RIOT)](https://docs.greynoise.io/docs/riot-data.md) - [Understanding Business Services Intelligence (frm RIOT) Trust Levels](https://docs.greynoise.io/docs/understanding-greynoise-riot-trust-levels.md) - [Applying GreyNoise Data to Your Analysis](https://docs.greynoise.io/docs/applying-greynoise-data-to-your-analysis.md) - [Single Sign On Support](https://docs.greynoise.io/docs/single-sign-on-support.md) - [Reference Deployments](https://docs.greynoise.io/docs/reference-deployments.md): Below are some sample reference deployments for how GreyNoise is commonly deployed. - [Search - Usage Monitoring](https://docs.greynoise.io/docs/greynoise-search-usage-monitoring.md) - [Integrations](https://docs.greynoise.io/docs/3rd-party-integrations.md) - [AI/ML Integrations](https://docs.greynoise.io/docs/aiml-integrations.md) - [AI/ML Integration Overview: Microsoft Copilot for Security](https://docs.greynoise.io/docs/aiml-integration-overview-microsoft-copilot-for-security.md): Additional documentation from Microsoft can be found here: https://learn.microsoft.com/en-us/security-copilot/plugin-greynoise - [SIEM Integrations](https://docs.greynoise.io/docs/siem-integrations.md) - [CrowdStrike Next-Gen SIEM Overview](https://docs.greynoise.io/docs/crowdstrike-ngsiem-overview.md) - [CrowdStrike Next-Gen SIEM Installation Guide](https://docs.greynoise.io/docs/crowdstrike-ngsiem-installation-guide.md) - [CrowdStrike Next-Gen SIEM Use Case Guide 1](https://docs.greynoise.io/docs/crowdstrike-ngsiem-use-case-guide-1.md): Reducing Alert Volume and Surfacing Targeted Threats - [CrowdStrike Next-Gen SIEM Use Case Guide 2](https://docs.greynoise.io/docs/crowdstrike-ngsiem-use-case-guide-2.md): Detecting Allowed Inbound Traffic from Known Malicious Hosts - [CrowdStrike Next-Gen SIEM Use Case Guide 3](https://docs.greynoise.io/docs/crowdstrike-ngsiem-use-case-guide-3.md): Flag Authentication Attempts from Compromised Hosts - [CrowdStrike Next-Gen SIEM Use Case Guide 4](https://docs.greynoise.io/docs/crowdstrike-ngsiem-use-case-guide-4.md): Detect Outbound Connections to Threat Infrastructure - [Elasticsearch Overview](https://docs.greynoise.io/docs/elastic-overview.md) - [Elasticsearch Installation Guide](https://docs.greynoise.io/docs/elastic-installation-guide.md) - [Elasticsearch Use Case Guide 1](https://docs.greynoise.io/docs/elastic-use-case-guide-1.md): Reducing Alert Volume and Surfacing Targeted Threats - [Elasticsearch Use Case Guide 2](https://docs.greynoise.io/docs/elastic-use-case-guide-2.md): Detecting Allowed Inbound Traffic from Known Malicious Hosts - [Elasticsearch Use Case Guide 3](https://docs.greynoise.io/docs/elastic-use-case-guide-3.md): Flag Authentication Attempts from Compromised Hosts - [Elasticsearch Use Case Guide 4](https://docs.greynoise.io/docs/elastic-use-case-guide-4.md): Detect Outbound Connections to Threat Infrastructure - [Google Security Operations SIEM Overview](https://docs.greynoise.io/docs/google-secops-siem-overview.md) - [Google Security Operations SIEM Installation Guide](https://docs.greynoise.io/docs/google-secops-siem-installation-guide.md) - [Google Security Operations SIEM Use Case Guide 1](https://docs.greynoise.io/docs/google-secops-siem-use-case-guide-1.md): Reducing Alert Volume and Surfacing Targeted Threats - [Google Security Operations SIEM Use Case Guide 2](https://docs.greynoise.io/docs/google-secops-siem-use-case-guide-2.md): Detecting Allowed Inbound Traffic from Known Malicious Hosts - [Google Security Operations SIEM Use Case Guide 3](https://docs.greynoise.io/docs/google-secops-siem-use-case-guide-3.md): Flag Authentication Attempts from Compromised Hosts - [Google Security Operations SIEM Use Case Guide 4](https://docs.greynoise.io/docs/google-secops-siem-use-case-guide-4.md): # Detect Outbound Connections to Threat Infrastructure - [Microsoft Sentinel Overview](https://docs.greynoise.io/docs/sentinel-overview.md) - [Microsoft Sentinel Installation Guide](https://docs.greynoise.io/docs/sentinel-installation-guide.md) - [Microsoft Sentinel Use Case Guide 1](https://docs.greynoise.io/docs/sentinel-use-case-guide-1.md): Reducing Alert Volume and Surfacing Targeted Threats - [Microsoft Sentinel Use Case Guide 2](https://docs.greynoise.io/docs/sentinel-use-case-guide-2.md): Detecting Allowed Inbound Traffic from Known Malicious Hosts - [Microsoft Sentinel Use Case Guide 3](https://docs.greynoise.io/docs/sentinel-use-case-guide-3.md): Flag Authentication Attempts from Compromised Hosts - [Microsoft Sentinel Use Case Guide 4](https://docs.greynoise.io/docs/sentinel-use-case-guide-4.md): Detect Outbound Connections to Threat Infrastructure - [Splunk SIEM Overview](https://docs.greynoise.io/docs/splunk-overview.md) - [Splunk SIEM Installation Guide](https://docs.greynoise.io/docs/splunk-installation-guide.md) - [Splunk SIEM Use Case Guide 1](https://docs.greynoise.io/docs/splunk-use-case-guide-1.md): Reducing Alert Volume and Surfacing Targeted Threats - [Splunk SIEM Use Case Guide 2](https://docs.greynoise.io/docs/splunk-use-case-guide-2.md): Detecting Allowed Inbound Traffic from Known Malicious Hosts - [Splunk SIEM Use Case Guide 3](https://docs.greynoise.io/docs/splunk-use-case-guide-3.md): Flag Authentication Attempts from Compromised Hosts - [Splunk SIEM Use Case Guide 4](https://docs.greynoise.io/docs/splunk-use-case-guide-4.md): Detect Outbound Connections to Threat Infrastructure - [SOAR Integrations](https://docs.greynoise.io/docs/soar-integrations.md) - [SOAR Integration Overview: Google SecOps SOAR](https://docs.greynoise.io/docs/soar-integration-overview-google-secops-soar.md) - [SOAR Integration Overview: FortiNET FortiSOAR](https://docs.greynoise.io/docs/integration-overview-fortinet-fortisoar.md) - [SOAR Integration Overview: Splunk SOAR (Phantom)](https://docs.greynoise.io/docs/integration-overview-splunk-phantom.md) - [SOAR Integration Overview: Swimlane](https://docs.greynoise.io/docs/integration-overview-swimlane.md) - [SOAR Integration Overview: Tines](https://docs.greynoise.io/docs/integration-overview-tines.md) - [SOAR Integration Overview: XSOAR (Demisto)](https://docs.greynoise.io/docs/integration-overview-xsoar-demisto.md) - [TIP Integrations](https://docs.greynoise.io/docs/tip-integrations.md) - [TIP Integration Overview: Anomali ThreatStream](https://docs.greynoise.io/docs/integration-overview-anomali-threatstream.md) - [TIP Integration Overview: MISP](https://docs.greynoise.io/docs/integration-overview-misp.md) - [TIP Integration Overview: OpenCTI](https://docs.greynoise.io/docs/tip-integration-overview-opencti.md): This guide explains how to configure the GreyNoise connector in OpenCTI to ingest IP indicators, enrich observables, apply classifications, and set up custom labels—helping analysts filter background internet noise. - [TIP Integration Overview: Recorded Future](https://docs.greynoise.io/docs/integration-overview-recorded-future.md) - [TIP Integration Overview: ThreatQ](https://docs.greynoise.io/docs/integration-overview-threatq.md) - [Integration Overview: Cribl](https://docs.greynoise.io/docs/integration-overview-cribl.md) - [Analyst Tool Integrations](https://docs.greynoise.io/docs/analyst-tool-integrations.md) - [Analyst Integration Overview: Maltego](https://docs.greynoise.io/docs/integration-overview-maltego.md) - [Analyst Integration Overview: Polarity](https://docs.greynoise.io/docs/integration-overview-polarity.md) - [On-Demand Training Series List](https://docs.greynoise.io/docs/greynoise-university-series-list.md) - [Product Overview Training Modules](https://docs.greynoise.io/docs/product-overview-training-modules.md) - [API and CLI Training Modules](https://docs.greynoise.io/docs/api-and-cli-training-modules.md) - [Instructor Led Courses](https://docs.greynoise.io/docs/instructor-led-courses.md) - [Python SDK Information](https://docs.greynoise.io/docs/libraries-sample-code.md) - ["How I Use GreyNoise" Sessions](https://docs.greynoise.io/docs/community-resources.md): Welcome to the "How I Use GreyNoise" video series. Our goal is to highlight how analysts, researchers, and others use GreyNoise products to solve their security problems.If you're interested in doing a session, please reach out to our Community Manager, Sam via community@greynoise.io. - [Open Forum Recordings](https://docs.greynoise.io/docs/open-forum-recordings.md) - [Research Community Access (frm VIP Program)](https://docs.greynoise.io/docs/vip-program.md) - [Project Swarm Overview](https://docs.greynoise.io/docs/swarm-overview.md) - [How It Works: Core Architecture](https://docs.greynoise.io/docs/how-it-works-core-architecture.md) - [Project Swarm Glossary ](https://docs.greynoise.io/docs/swarm-glossary.md) - [Sensors](https://docs.greynoise.io/docs/sensors.md) - [Sensor Installation Guide](https://docs.greynoise.io/docs/sensor-installation-guide.md): The following provides a basic overview of how to perform an installation of a GreyNoise Sensor on a Customer Hosted device. - [Deploying a Project Swarm Sensor on a Home Network](https://docs.greynoise.io/docs/home-network-configuration.md) - [Sensor Management ](https://docs.greynoise.io/docs/sensor-management.md) - [Sensor Troubleshooting](https://docs.greynoise.io/docs/troubleshooting-1.md) - [Video Tutorials - Sensor Deployments](https://docs.greynoise.io/docs/video-tutorials.md) - [Profiles](https://docs.greynoise.io/docs/profiles.md) - [Profile Library & Setup](https://docs.greynoise.io/docs/profile-library-setup.md) - [Assigning Profiles to Sensors](https://docs.greynoise.io/docs/assigning-profiles-to-sensors.md) - [Creating a Profile](https://docs.greynoise.io/docs/creating-a-profile.md) - [OVA Uploads](https://docs.greynoise.io/docs/ova-uploads.md) - [Transporters](https://docs.greynoise.io/docs/transporters.md) - [Request a Custom Profile](https://docs.greynoise.io/docs/request-a-custom-profile.md) - [Session Explorer](https://docs.greynoise.io/docs/explore.md) - [Querying and Filtering ](https://docs.greynoise.io/docs/querying-and-filtering.md) - [Working with the Sessions Table](https://docs.greynoise.io/docs/working-with-the-sessions-table.md) - [Data Visualizations](https://docs.greynoise.io/docs/data-visualizations.md) - [Data Field Reference ](https://docs.greynoise.io/docs/all-queryable-fields.md) - [Common Workflows](https://docs.greynoise.io/docs/common-workflows.md) - [Compare ](https://docs.greynoise.io/docs/compare.md) - [Project Swarm Use Cases](https://docs.greynoise.io/docs/swarm-use-cases.md) - [Project Swarm FAQs](https://docs.greynoise.io/docs/swarm-faqs.md) - [Intelligence Module Comparison: Internet Scanners](https://docs.greynoise.io/docs/intelligence-module-internet-scanner-comparison.md) - [Intelligence Module - Triage](https://docs.greynoise.io/docs/intelligence-module-triage.md) - [Intelligence Module - Investigate](https://docs.greynoise.io/docs/intelligence-module-investigate.md) - [Intelligence Module - Hunt ](https://docs.greynoise.io/docs/intelligence-module-hunt.md) - [Intelligence Module - Business Services](https://docs.greynoise.io/docs/intelligence-module-business-services.md) - [Intelligence Module - Vulnerability Prioritization](https://docs.greynoise.io/docs/intelligence-module-vulnerablity-prioritization.md) - [Intelligence Module - C2 Detection](https://docs.greynoise.io/docs/intelligence-module-c2-detection.md) - [Community Response](https://docs.greynoise.io/docs/community-response.md) - [v2 - v3 API Migration Matrix](https://docs.greynoise.io/docs/v2-v3-api-migration-matrix.md) - [API v3: What’s New (vs. v2)](https://docs.greynoise.io/docs/api-v3-whats-new-vs-v2.md) ## API Reference - [Community API](https://docs.greynoise.io/reference/getcommunityip.md): The Community API provides community users with a free tool to query IPs in the GreyNoise dataset and retrieve a subset of the full IP context data returned by the IP Lookup API. - [IP Timeline Field Summary](https://docs.greynoise.io/reference/getiptimelinefieldsummary.md): Retrieve an IP address' summary of noise activity for a specific field. _License: This endpoint requires an additional subscription license to use._ - [IP Lookup](https://docs.greynoise.io/reference/v3ip.md): Get more information about a given IP address. Returns time ranges, IP metadata (network owner, ASN, reverse DNS pointer, country), associated actors, activity tags, and raw port scan and web request information. Use the `quick` parameter to return a subset of the response fields, for a faster response time. - [IP Lookup - Multi](https://docs.greynoise.io/reference/v3multiip.md): Retrieves information about the submitted set of IP addresses from the Internet Scanner and Business Service intelligence datasets (consolidated response based on subscription entitlements). Returns time ranges, IP metadata (network owner, ASN, reverse DNS pointer, country), associated actors, tags, raw port scan data, web request information, classification and/or trust level, and provider information. Use the `quick` parameter to return a subset of the response fields, for a faster response time. Can process up to 10,000 IPs per request. - [GNQL V3 Query](https://docs.greynoise.io/reference/gnqlv3query.md): GreyNoise Query Language GNQL (GreyNoise Query Language) is a domain-specific query language that uses Lucene deep under the hood. GNQL aims to enable GreyNoise Enterprise and Research users to make complex and one-off queries against the GreyNoise dataset as new business cases arise. GNQL is built with self-defeat and fully featured product lines in mind. If we do our job correctly, each individual GNQL query that brings our users and customers sufficient value will eventually be transitioned into it's own individual offering. _License: The `business_service_intelligence` response field requires the BSI Module. Without it, every result returns an empty `business_service_intelligence` object; all other fields are returned normally._ Facets: * `ip` - The IP address of the scanning device IP * `classification` - Whether the device has been categorized as unknown, benign, or malicious * `first_seen` - The date the device was first observed by GreyNoise * `last_seen` - The date the device was most recently observed by GreyNoise * `actor` - The benign actor the device has been associated with, such as Shodan, Censys, GoogleBot, etc * `tags` - A list of the tags the device has been assigned over the past 90 days * `spoofable` - This IP address has been opportunistically scanning the Internet, however has failed to complete a full TCP connection. Any reported activity could be spoofed. * `vpn` - This IP is associated with a VPN service. Activity, malicious or otherwise, should not be attributed to the VPN service provider. * `vpn_service` - The VPN service the IP is associated with * `tor` - Whether or not the device is a known Tor exit node * `cve` - A list of CVEs that the device has been associated with * `single_destination` - A boolean parameter that filters source country IPs that have only been observed in a single destination country * `metadata.category` - Whether the device belongs to a business, isp, hosting, education, or mobile network * `metadata.carrier` - The Internet Service Provider (ISP) or telecommunications carrier associated with the source IP address * `metadata.country` - The full name of the country the device is geographically located in (This is the same data as `metadata.source_country`. `metadata.source_country` is preferred) * `metadata.country_code` - The two-character country code of the country the device is geographically located in (This is the same data as `metadata.source_country_code`. `metadata.source_country_code` is preferred) * `metadata.datacenter` - The datacenter or hosting provider from which the activity originates. This could indicate the use of cloud services, managed hosting, or enterprise datacenter infrastructure. * `metadata.domain` - The domain name associated with the source IP address * `metadata.sensor_hits` - The amount of unique data that has been recorded by the sensor * `metadata.sensor_count` - The number of sensors the IP Address has been observed on * `metadata.city` - The city the device is geographically located in * `metadata.region` - The region the device is geographically located in * `metadata.organization` - The organization that owns the network that the IP address belongs to * `metadata.rdns` - The reverse DNS pointer of the IP * `metadata.asn` - The autonomous system the IP address belongs to * `metadata.destination_cities` - The city where the GreyNoise sensor is geographically located * `metadata.destination_asns` - The ASN associated with the destination IP address * `metadata.destination_countries` - The full country name where the GreyNoise sensors are physically located * `metadata.destination_country_codes` - The country code where the GreyNoise sensors are physically located * `metadata.destination_country` - The full country name where the GreyNoise sensors are physically located * `metadata.destination_country_code` - The country code where the GreyNoise sensors are physically located * `metadata.latitude` - The geographic latitude of the source IP address * `metadata.longitude` - The geographic longitude of the source IP address * `metadata.rdns_parent` - The parent domain retrieved through reverse DNS (RDNS) lookup of the source IP address * `metadata.rdns_validated` - A validation status that confirms whether the reverse DNS (RDNS) record correctly maps to the source domain * `metadata.source_country_code` - The two-character country code of the country the device is geographically located in * `metadata.source_country` - The full name of the country the device is geographically located in * `raw_data.scan.port` - The port being targeted on a GreyNoise sensor * `raw_data.scan.protocol` - The protocol of the port the device has been observed scanning * `raw_data.web.paths` - Any HTTP paths the device has been observed crawling the Internet for * `raw_data.web.useragents` - Any HTTP user-agents the device has been observed using while crawling the Internet * `raw_data.ja3.fingerprint` - The JA3 TLS/SSL fingerprint * `raw_data.ja3.port` - The corresponding TCP port for the given JA3 fingerprint * `raw_data.hassh.fingerprint` - The HASSH fingerprint * `raw_data.hassh.port` - The corresponding TCP port for the given HASSH fingerprint * `raw_data.http.md5` - An MD5 hash of the body content. This compact, unique representation of the data allows for quick comparisons and deduplication of payloads without storing the raw content. * `raw_data.http.cookie_keys` - The keys or names of cookies exchanged in the communication. These can reveal session identifiers, tracking mechanisms, or other metadata used in web interactions, providing clues about application behavior or vulnerabilities. * `raw_data.http.request_authorization` - The contents of the Authorization header in a request, typically containing authentication credentials or tokens (e.g., Basic Auth, Bearer tokens). Analyzing this helps verify authorization mechanisms and detect credential misuse or token abuse. * `raw_data.http.request_cookie` - Key-value pairs stored in cookies sent with an HTTP request. These cookies often contain session identifiers, user preferences, or tracking data, which can be analyzed to detect unauthorized access or manipulation. * `raw_data.http.request_header` - Request Headers are the keys (names) of HTTP headers that a client sends to a server. * `raw_data.http.request_method` - The HTTP method used in the request, such as GET, POST, PUT, or DELETE. Analyzing methods can reveal the intent of the request, such as retrieving or modifying resources, and identify unexpected or suspicious activity. * `raw_data.http.request_origin` - Indicates the origin of the request, typically used in cross-origin resource sharing (CORS) to specify where the request originated. This helps identify unauthorized or potentially malicious cross-origin requests. * `raw_data.tls.cipher` - The encryption algorithm or cipher suite used during the secure communication. Identifying the cipher helps assess the security of the connection, particularly in TLS/SSL traffic. * `raw_data.tls.ja4` - JA4 TLS fingerprint. JA4 captures distinctive characteristics of TLS client behavior, useful for identifying and clustering malicious or anomalous clients. * `raw_data.http.ja4h` - JA4H HTTP client fingerprint. Captures characteristics of HTTP client behavior including method, headers, and cookie fields, useful for identifying and tracking HTTP clients. * `raw_data.ssh.ja4ssh` - JA4SSH fingerprint. Captures SSH traffic patterns including packet lengths and directions, useful for identifying SSH client behavior and detecting anomalous sessions. * `raw_data.tcp.ja4t` - JA4T TCP fingerprint. Captures TCP connection characteristics such as window size, options, and MSS, useful for OS fingerprinting and identifying network stacks. * `raw_data.tcp.ja4l` - JA4L light distance/latency fingerprint. Captures TCP TTL and window size characteristics, useful for estimating client-server distance and identifying proxied connections. Behavior: * `raw_data.ssh.key` - This is the SSH key used. * You can subtract facets by prefacing the query with a minus character * The data that this endpoint queries refreshes once per hour Shortcuts: * You can find interesting hosts by using the GNQL query term `interesting` * You can use the keyword `today` in the `first_seen` and `last_seen` parameters: `last_seen:today` or `first_seen:today` Examples: * `last_seen:today` - Returns all IPs scanning/crawling the Internet today * `tags:Mirai` - Returns all devices with the "Mirai" tag * `tags:"RDP Scanner"` - Returns all devices with the "RDP Scanner" tag * `classification:malicious metadata.country:Belgium` - Returns all compromised devices located in Belgium * `classification:malicious metadata.rdns:*.gov*` - Returns all compromised devices that include .gov in their reverse DNS records * `metadata.organization:Microsoft classification:malicious` - Returns all compromised devices that belong to Microsoft * `(raw_data.scan.port:445 and raw_data.scan.protocol:TCP) metadata.os:Windows*` - Return all devices scanning the Internet for port 445/TCP running Windows operating systems (Conficker/EternalBlue/WannaCry) * `raw_data.scan.port:554` - Returns all devices scanning the Internet for port 554 * `-metadata.organization:Google raw_data.web.useragents:GoogleBot` - Returns all devices crawling the Internet with "GoogleBot" in their useragent from a network that does NOT belong to Google * `tags:"Siemens PLC Scanner" -classification:benign` - Returns all devices scanning the Internet for SCADA devices who ARE NOT tagged by GreyNoise as "benign" (Shodan/Project Sonar/Censys/Google/Bing/etc) * `classification:benign` - Returns all "good guys" scanning the Internet * `raw_data.ja3.fingerprint:795bc7ce13f60d61e9ac03611dd36d90` - Returns all devices crawling the Internet with a matching client JA3 TLS/SSL fingerprint * `raw_data.hassh.fingerprint:51cba57125523ce4b9db67714a90bf6e` - Returns all devices crawling the Internet with a matching client HASSH fingerprint * `raw_data.tls.ja4:t13d1516h2_8daaf6152771_02713d6af862` - Returns all devices with a matching JA4 TLS fingerprint * `raw_data.http.ja4h:ge11cn060000_4e59edc1297a_4da5efaf0cbd` - Returns all devices with a matching JA4H HTTP fingerprint * `raw_data.ssh.ja4ssh:c76s76_c71s59_c0s0` - Returns all devices with a matching JA4SSH fingerprint * `raw_data.tcp.ja4t:64240_2-1-3-1-1-4_1460_8` - Returns all devices with a matching JA4T TCP fingerprint * `raw_data.tcp.ja4l:1460_64` - Returns all devices with a matching JA4L light distance/latency fingerprint * `raw_data.web.paths:"/HNAP1/"` -Returns all devices crawling the Internet for the HTTP path "/HNAP1/" * `8.0.0.0/8` - Returns all devices scanning the Internet from the CIDR block 8.0.0.0/8 * `cve:CVE-2021-30461` - Returns all devices associated with the supplied CVE * `source_country:Iran` - Returns all results originating from Iran * `destination_country:Ukraine single_destination:true` - Returns all results scanning in only Ukraine - [GNQL V3 Metadata Query](https://docs.greynoise.io/reference/gnqlv3metadataquery.md): GreyNoise Query Language Metadata Endpoint This endpoint provides the same functionality as the main GNQL endpoint but with additional field filtering capabilities. It automatically excludes raw data from responses and allows you to specify additional fields to exclude. The metadata endpoint is designed for use cases where you need to retrieve IP intelligence data without the raw scan data, making it more efficient for metadata-focused queries. _License: The `business_service_intelligence` response field requires the BSI Module. Without it, every result returns an empty `business_service_intelligence` object; all other fields are returned normally._ - [GNQL V3 Stats](https://docs.greynoise.io/reference/gnqlv3stats.md): Get aggregate statistics for the top organizations, actors, tags, ASNs, countries, classifications, and operating systems of all the results of a given GNQL query. - [GNQL V3 Recall](https://docs.greynoise.io/reference/gnqltimeseries.md): Get hourly GNQL records for a given time range. - [GNQL V3 Recall Stats](https://docs.greynoise.io/reference/gnqltimeseriesstats.md): Get the number of unique IPs that match a GNQL query per hour/day over a given time range. - [Ping](https://docs.greynoise.io/reference/ping.md): Provides a simple endpoint to check GreyNoise status and GreyNoise API access - [List CVEs](https://docs.greynoise.io/reference/listcves.md): Return CVE records tracked by GreyNoise, ordered by publication date, last-update date, or CVSS score. Default cap is 100 records, configurable up to 1000 via the `limit` query parameter. This endpoint requires the `feature-search-cves-bulk` entitlement. Response payload is shaped according to the caller's CVE Insights tier (minimal, basic, or advanced). - [Bulk CVE Lookup](https://docs.greynoise.io/reference/bulkcvelookup.md): Retrieve information about multiple CVEs in a single request. Supports up to 10,000 CVEs per request. This endpoint requires a business email address and appropriate entitlements. Response type depends on user entitlements (minimal, basic, or advanced). - [Retrieve CVE Information](https://docs.greynoise.io/reference/getcve.md): Retrieve details about a specific Common Vulnerabilities and Exposures (CVE). - [List Tags](https://docs.greynoise.io/reference/listtags.md): Retrieve a list of tags with their metadata. Supports filtering by name, slug, and CVE. This endpoint returns tag information including ID, name, slug, category, intention, description, references, CVEs, and related tags. - [Get Sessions](https://docs.greynoise.io/reference/getsessions.md): Returns a paginated list of network sessions matching the query criteria. Sessions represent individual network connections captured by GreyNoise sensors. - [Get Session Fields](https://docs.greynoise.io/reference/getsessionfields.md): Returns the list of available session fields for querying and display. Use this to discover which fields can be used in queries, sorting, and aggregations. - [Get Session Counts](https://docs.greynoise.io/reference/getsessioncounts.md): Returns aggregated counts of sessions grouped by the specified fields. Useful for building dashboards and understanding traffic distribution. - [Get Session Connections](https://docs.greynoise.io/reference/getsessionconnections.md): Returns a graph of connections between source and destination fields. Useful for visualizing network relationships and communication patterns. - [Get Session Timeseries](https://docs.greynoise.io/reference/getsessiontimeseries.md): Returns timeseries data for sessions, optionally grouped by a field. Useful for visualizing session volume over time and identifying trends. - [Get Unique Field Values](https://docs.greynoise.io/reference/getsessionuniquevalues.md): Returns unique values for a session field as a CSV download, optionally with counts. Useful for extracting distinct IPs, ports, or other field values matching a query. - [Export PCAP for Multiple Sessions](https://docs.greynoise.io/reference/exportsessionspcap.md): Returns a PCAP file containing packets from sessions matching the query criteria. The response is a binary PCAP file suitable for analysis with tools like Wireshark. Not available when `scope=demo` (returns 403). - [Get Session by ID](https://docs.greynoise.io/reference/getsessionbyid.md): Returns a single session by its ID, including full session metadata and connection details. - [Get Session PCAP](https://docs.greynoise.io/reference/getsessionpcap.md): Returns raw PCAP bytes for a single session. The response is a binary PCAP file suitable for analysis with tools like Wireshark. - [Export Session Data](https://docs.greynoise.io/reference/exportsessiondata.md): Downloads session data as PCAP or raw payload for a single session. Use the `type` parameter to select the export format. Not available when `scope=demo` (returns 403). - [BSI Trust-Level Stats](https://docs.greynoise.io/reference/getbsitrust.md): Returns counts of BSI IPs and CIDRs grouped by trust level. Use `date=now` for current information or `date=YYYY-MM-DD` for historical information. This endpoint requires the proper BSI entitlements. - [BSI Company Stats](https://docs.greynoise.io/reference/getbsicompany.md): Returns counts of BSI IPs and CIDRs grouped by company name. Use `date=now` for current information or `date=YYYY-MM-DD` for historical information. This endpoint requires the proper BSI entitlements. - [BSI Category Stats](https://docs.greynoise.io/reference/getbsicategory.md): Returns counts of BSI IPs and CIDRs grouped by category. Use `date=now` for current information or `date=YYYY-MM-DD` for historical information. This endpoint requires the proper BSI entitlements. - [BSI Bulk Data Download](https://docs.greynoise.io/reference/getbsidownload.md): Returns the newest BSI bulk-data file for the requested date as a gzipped, newline-delimited JSON (`.json.gz`) stream. Each line is a single record with provider metadata (`name`, `category`, `trust_level`, etc.), a CIDR (`ip_cidr`), and a scan timestamp. Use `date=now` for today's snapshot (resolved server-side to today's UTC date) or `date=YYYY-MM-DD` for a specific historical partition. _License: This endpoint requires an additional subscription license to use._ - [BSI Single-IP Lookup](https://docs.greynoise.io/reference/getbsilookup.md): Returns every BSI provider whose CIDR(s) contain the queried IPv4 address, ordered by ascending precedence (lower precedence = higher priority). An empty `matches` array means the IP is not in BSI. IPv6 addresses are rejected with HTTP 400. Lookups are served from an in-memory index that refreshes from the daily bulk-data partition; staleness may be up to ~30 minutes after a partition rolls. _License: This endpoint requires an additional subscription license to use._ - [BSI Bulk IP Lookup](https://docs.greynoise.io/reference/getbsibulklookup.md): Accepts up to 1,000 IPv4 addresses and returns BSI provider matches for each, preserving request order. A given IP's `matches` entry is an empty array if it is not in BSI. IPv6 addresses are rejected with HTTP 400 (the whole request fails; callers should re-issue without the offending entry). _License: This endpoint requires an additional subscription license to use._ - [Create Blocklist](https://docs.greynoise.io/reference/createblocklist.md): Create a new blocklist in the specified workspace. The blocklist is defined by a GNQL query and will automatically refresh its IP list. - [List Blocklists](https://docs.greynoise.io/reference/listblocklists.md): List all blocklists for a workspace. Results are paginated via `limit` and `offset` query parameters. - [Update Blocklist](https://docs.greynoise.io/reference/updateblocklist.md): Update an existing blocklist. The GNQL query, name, IP limit, and enabled status can be changed. - [Get Blocklist](https://docs.greynoise.io/reference/getblocklist.md): Retrieve a single blocklist by ID. - [Delete Blocklist](https://docs.greynoise.io/reference/deleteblocklist.md): Delete a blocklist by ID. - [Get Blocklist IPs](https://docs.greynoise.io/reference/getblocklistips.md): Retrieve the list of IP addresses currently matching the blocklist's GNQL query. - [Psychic Model Download](https://docs.greynoise.io/reference/postpsychicmodeldownload.md): Downloads a Psychic model file. The request body selects the model (`1`, `2`, `3`, `4`, `m1`, `m2`, `m3`, `m4`, `model1`, `model2`, `model3`, or `model4`). Models 1, 2, and 3 may set `date` to `latest` or a `YYYY-MM-DD` date. When `date` is omitted, the latest daily model is used. Models 1, 2, and 3 may also request an inclusive date range with `start_date` and `end_date`; ranges are limited to 30 days and return one combined download. Model 4 downloads the latest model 4 artifact. Model 4 may omit `date` or set `date` to `latest`, but does not support historical dates, `start_date`, or `end_date`. Set `format` to `mmdb` to download a MaxMind DB file. When `format` is omitted, the binary model format is used. _License: This endpoint requires the Psychic model meter entitlement for the requested model. Historical dates also require that model's Psychic lookback-days entitlement to cover the requested date or range start date._ - [Psychic Snapshot Download](https://docs.greynoise.io/reference/postpsychicsnapshotdownload.md): Downloads a precomputed Psychic snapshot artifact. Snapshots are fixed, already-materialized files for common rolling windows and latest model 4. This endpoint does not generate missing ranges or convert missing MMDBs. Models 1, 2, and 3 require `days` and currently support only `7` or `30`. Model 4 downloads the latest model 4 snapshot and rejects `days`. `date`, `start_date`, and `end_date` are not supported on this endpoint. A successful response streams the snapshot file. Transfer time still depends on file size and client connection speed. A `404` response means the requested snapshot artifact is not available. _License: This endpoint requires the Psychic model meter entitlement for the requested model. Models 1, 2, and 3 also require that model's Psychic lookback-days entitlement to cover the resolved snapshot start date._ - [Callback IP Lookup](https://docs.greynoise.io/reference/callbackgetip.md): Retrieve detailed information about a specific callback IP, including attack stage, scanner associations, and downloaded malware files. - [List Callback IPs](https://docs.greynoise.io/reference/callbacklistips.md): Retrieve a paginated list of callback IPs with filtering by attack stage, date ranges, file attributes, and scanner associations. - [Export Callback IPs](https://docs.greynoise.io/reference/callbackexportips.md): Export callback IPs matching the given filters as a newline-delimited plain text list. Supports the same filter parameters as the List Callback IPs endpoint. - [Callback Overview Statistics](https://docs.greynoise.io/reference/callbackoverview.md): Retrieve aggregate statistics for callback IPs including counts by attack stage, file analysis status, scanner associations, and top threat names. ## Pages - [Product Roadmap](https://docs.greynoise.io/testing.md)