List Callback IPs

post

https://api.greynoise.io/v1/callback/ips

Retrieve a paginated list of callback IPs with filtering by attack stage, date ranges, file attributes, and scanner associations.

Body Params

is_stage_1

boolean

Filter by stage 1 status. true = file downloaded from this IP.

is_stage_2

boolean

Filter by stage 2 status. true = suspected C2 based on VT/sandbox analysis.

first_seen_after

date

Only include IPs first seen after this date (YYYY-MM-DD).

first_seen_before

date

Only include IPs first seen before this date (YYYY-MM-DD).

last_seen_after

date

Only include IPs last seen after this date (YYYY-MM-DD).

last_seen_before

date

Only include IPs last seen before this date (YYYY-MM-DD).

has_files

boolean

If true, only include IPs with associated malware files. If false, only IPs without files.

file_type

string

Filter by file MIME type (e.g. "application/x-executable").

file_name

string

Filter by file name substring match.

file_hash

string

Filter by file SHA256 hash.

scanner_ips

array of strings

Filter to IPs associated with these scanner IPs.

scanner_ips

ips

array of strings

Filter to this specific set of callback IPs.

ips

page

integer

≥ 0

Defaults to 0

Zero-indexed page number.

page_size

integer

1 to 100

Defaults to 20

Number of results per page (1-100).

Responses

Language

Credentials

Header

URL

Response

Click Try It! to start a request and see the response here! Or choose an example:

application/json

200OK - paginated list of callback IPs returned.

400Bad request - request syntax is invalid for the specified endpoint. Verify request syntax and try again.

401Unauthorized. Please check your API key.

403Forbidden - request is not authorized due to an invalid API key or plan limitations. If due to plan limitations, contact [email protected] to upgrade your plan and unlock full results.

500Unexpected error