get https://api.greynoise.io/v2/experimental/gnql
GreyNoise Query Language
GNQL (GreyNoise Query Language) is a domain-specific query language
that uses Lucene deep under the hood. GNQL aims to enable GreyNoise
Enterprise and Research users to make complex and one-off queries
against the GreyNoise dataset as new business cases arise. GNQL is
built with self-defeat and fully featured product lines in mind. If
we do our job correctly, each individual GNQL query that brings our
users and customers sufficient value will eventually be transitioned
into it's own individual offering.
Facets:
ip- The IP address of the scanning device IPclassification- Whether the device has been categorized as
unknown, benign, or maliciousfirst_seen- The date the device was first observed by GreyNoiselast_seen- The date the device was most recently observed
by GreyNoiseactor- The benign actor the device has been associated with,
such as Shodan, Censys, GoogleBot, etctags- A list of the tags the device has been assigned over the
past 90 daysspoofable- This IP address has been opportunistically scanning the
Internet, however has failed to complete a full TCP connection. Any
reported activity could be spoofed.vpn- This IP is associated with a VPN service. Activity, malicious
or otherwise, should not be attributed to the VPN service provider.vpn_service- The VPN service the IP is associated withcve- A list of CVEs that the device has been associated withbot- If the IP is known to belong to a known BOTsingle_destination- A boolean parameter that filters source country
IPs that have only been observed in a single destination countrymetadata.category- Whether the device belongs to a business, isp,
hosting, education, or mobile networkmetadata.country- The full name of the country the device is
geographically located in (This is the same data as
metadata.source_country.metadata.source_countryis preferred)metadata.country_code- The two-character country code of the
country the device is geographically located in (This is the same data
asmetadata.source_country_code.metadata.source_country_code
is preferred)metadata.sensor_hits- The amount of unique data that has been recorded by the sensormetadata.sensor_count- The number of sensors the IP Address has been observed onmetadata.city- The city the device is geographically located inmetadata.region- The region the device is geographically located inmetadata.organization- The organization that owns the network that
the IP address belongs tometadata.rdns- The reverse DNS pointer of the IPmetadata.asn- The autonomous system the IP address belongs tometadata.tor- Whether or not the device is a known Tor exit nodemetadata.destination_country- The full name where the GreyNoise
sensor is physically locatedmetadata.destination_country_code- The country code where GreyNoise
sensor is physically locatedmetadata.source_country_code- The two-character country code of the
country the device is geographically located inmetadata.source_country- The full name of the country the device is
geographically located inraw_data.scan.port- The port number(s) the devices has been
observed scanningraw_data.scan.protocol- The protocol of the port the device has
been observed scanningraw_data.web.paths- Any HTTP paths the device has been observed
crawling the Internet forraw_data.web.useragents- Any HTTP user-agents the device has been
observed using while crawling the Internetraw_data.ja3.fingerprint- The JA3 TLS/SSL fingerprintraw_data.ja3.port- The corresponding TCP port for the given JA3
fingerprintraw_data.hassh.fingerprint- The HASSH fingerprintraw_data.hassh.port- The corresponding TCP port for the given HASSH
fingerprint
Behavior:
- You can subtract facets by prefacing the query with a minus character
- The data that this endpoint queries refreshes once per hour
Shortcuts:
- You can find interesting hosts by using the GNQL query term
interesting - You can use the keyword
todayin thefirst_seenand
last_seenparameters:last_seen:todayorfirst_seen:today
Examples:
last_seen:today- Returns all IPs scanning/crawling the
Internet todaytags:Mirai- Returns all devices with the "Mirai" tagtags:"RDP Scanner"- Returns all devices with the "RDP
Scanner" tagclassification:malicious metadata.country:Belgium
- Returns all compromised devices located in Belgium
classification:malicious metadata.rdns:*.gov*- Returns
all compromised devices that include .gov in their reverse DNS recordsmetadata.organization:Microsoft classification:malicious
- Returns all compromised devices that belong to Microsoft
(raw_data.scan.port:445 and raw_data.scan.protocol:TCP) metadata.os:Windows*- Return all devices scanning the Internet
for port 445/TCP running Windows operating systems
(Conficker/EternalBlue/WannaCry)raw_data.scan.port:554- Returns all devices scanning the
Internet for port 554-metadata.organization:Google raw_data.web.useragents:GoogleBot
- Returns all devices crawling the Internet with "GoogleBot" in
their useragent from a network that does NOT belong to Google
tags:"Siemens PLC Scanner" -classification:benign- Returns
all devices scanning the Internet for SCADA devices who ARE
NOT tagged by GreyNoise as "benign"
(Shodan/Project Sonar/Censys/Google/Bing/etc)classification:benign- Returns all "good guys" scanning
the Internetraw_data.ja3.fingerprint:795bc7ce13f60d61e9ac03611dd36d90
- Returns all devices crawling the Internet with a matching
client JA3 TLS/SSL fingerprint
raw_data.hassh.fingerprint:51cba57125523ce4b9db67714a90bf6e
- Returns all devices crawling the Internet with a matching
client HASSH fingerprint
raw_data.web.paths:"/HNAP1/"-Returns all devices crawling
the Internet for the HTTP path "/HNAP1/"8.0.0.0/8- Returns all devices scanning the Internet from
the CIDR block 8.0.0.0/8cve:CVE-2021-30461- Returns all devices associated with the
supplied CVEsource_country:Iran- Returns all results originating from Irandestination_country:Ukraine single_destination:true
- Returns all results scanning in only Ukraine
Search Usage: This endpoint consumes one Search per IP included
in the response DATA object.