Retrieve the complete list of GreyNoise tags. Metadata for each tag includes:

• id: a unique identifier for the tag used in some API calls

• name: the human readablename of the tag

• slug: the slugified tag name used in some other API calls

• description: a brief description of the tag's purpose or meaning

• category: the category or type of the tag

• intention: whether the tag activity is benign, malicious, suspicious,or unknown

• references: an optional array of URL references or sources for the tag

• cves: an optional array of CVE identifiers associated with the tag

• created_at: the timestamp when the tag was created

• related_tags: an optional array of related tags that are similar or related to the current tag

Search GreyNoise Tags by various criteria

Get detailed information about a specific GreyNoise tag

Retrieve time-series that includes unique IP counts and intention activity data for a specific GreyNoise tag or by CVE

Analyze activity for multiple tags and provide a summary

Get a list of currently trending vulnerability tags and anomalies from GreyNoise

Get detailed GreyNoise context information about an IP address

Get a fast, lightweight check of an IP address from GreyNoise

Check multiple IP addresses at once for scanner intelligence and business service classification

Get aggregate statistics for results matching a GreyNoise GNQL query.

GNQL (GreyNoise Query Language) is a domain-specific query language that uses Lucene deep under the hood.

Facets:

• "ip" - The IP address of the scanning device IP

• "classification" - Whether the device has been categorized as unknown, benign, or malicious

• "first_seen" - The date the device was first observed by GreyNoise

• "last_seen" - The date the device was most recently observed by GreyNoise

• "actor" - The benign actor the device has been associated with, such as Shodan, Censys, GoogleBot, etc

• "tags" - A list of the tags the device has been assigned over the past 90 days

• "spoofable" - This IP address has been opportunistically scanning the Internet, however has failed to complete a full TCP connection. Any reported activity could be spoofed.

• "vpn" - This IP is associated with a VPN service. Activity, malicious or otherwise, should not be attributed to the VPN service provider.

• "vpn_service" - The VPN service the IP is associated with

• "cve" - A list of CVEs that the device has been associated with

• "bot" - If the IP is known to belong to a known BOT

• "single_destination" - A boolean parameter that filters source country IPs that have only been observed in a single destination country

• "metadata.category" - Whether the device belongs to a business, isp, hosting, education, or mobile network

• "metadata.country" - The full name of the country the device is geographically located in (This is the same data as "metadata.source_country". "metadata.source_country" is preferred)

• "metadata.country_code" - The two-character country code of the country the device is geographically located in (This is the same data as "metadata.source_country_code". "metadata.source_country_code" is preferred)

• "metadata.sensor_hits" - The amount of unique data that has been recorded by the sensor

• "metadata.sensor_count" - The number of sensors the IP Address has been observed on

• "metadata.city" - The city the device is geographically located in

• "metadata.region" - The region the device is geographically located in

• "metadata.organization" - The organization that owns the network that the IP address belongs to

• "metadata.rdns" - The reverse DNS pointer of the IP

• "metadata.asn" - The autonomous system the IP address belongs to

• "metadata.tor" - Whether or not the device is a known Tor exit node

• "metadata.destination_country" - The full name where the GreyNoise sensor is physically located

• "metadata.destination_country_code" - The country code where GreyNoise sensor is physically located

• "metadata.source_country_code" - The two-character country code of the country the device is geographically located in

• "metadata.source_country" - The full name of the country the device is geographically located in

• "raw_data.scan.port" - The port number(s) the devices has been observed scanning

• "raw_data.scan.protocol" - The protocol of the port the device has been observed scanning

• "raw_data.web.paths" - Any HTTP paths the device has been observed crawling the Internet for

• "raw_data.web.useragents" - Any HTTP user-agents the device has been observed using while crawling the Internet

• "raw_data.ja3.fingerprint" - The JA3 TLS/SSL fingerprint

• "raw_data.ja3.port" - The corresponding TCP port for the given JA3 fingerprint

• "raw_data.hassh.fingerprint" - The HASSH fingerprint

• "raw_data.hassh.port" - The corresponding TCP port for the given HASSH fingerprint

Behavior:

• You can subtract facets by prefacing the query with a minus character

• The data that this endpoint queries refreshes once per hour

Shortcuts:

• You can find interesting hosts by using the GNQL query term "interesting"

• You can use the keyword "today" in the "first_seen" and "last_seen" parameters: "last_seen:today" or "first_seen:today"

Examples:

• "last_seen:today" - Returns all IPs scanning/crawling the Internet today

• "tags:Mirai" - Returns all devices with the "Mirai" tag

• "tags:"RDP Scanner"" - Returns all devices with the "RDP Scanner" tag

• "classification:malicious metadata.country:Belgium" — Returns all compromised devices located in Belgium

• "classification:malicious metadata.rdns:.gov" - Returns all compromised devices that include .gov in their reverse DNS records

• "metadata.organization:Microsoft classification:malicious" — Returns all compromised devices that belong to Microsoft

• "(raw_data.scan.port:445 and raw_data.scan.protocol:TCP) metadata.os:Windows*" - Return all devices scanning the Internet for port 445/TCP running Windows operating systems (Conficker/EternalBlue/WannaCry)

• "raw_data.scan.port:554" - Returns all devices scanning the Internet for port 554

• "-metadata.organization:Google raw_data.web.useragents:GoogleBot" — Returns all devices crawling the Internet with "GoogleBot" in their useragent from a network that does NOT belong to Google

• "tags:"Siemens PLC Scanner" -classification:benign" - Returns all devices scanning the Internet for SCADA devices who ARE NOT tagged by GreyNoise as "benign" (Shodan/Project Sonar/Censys/Google/Bing/etc)

• "classification:benign" - Returns all "good guys" scanning the Internet

• "raw_data.ja3.fingerprint:795bc7ce13f60d61e9ac03611dd36d90" — Returns all devices crawling the Internet with a matching client JA3 TLS/SSL fingerprint

• "raw_data.hassh.fingerprint:51cba57125523ce4b9db67714a90bf6e" — Returns all devices crawling the Internet with a matching client HASSH fingerprint

• "raw_data.web.paths:"/HNAP1/"" -Returns all devices crawling the Internet for the HTTP path "/HNAP1/"

• "8.0.0.0/8" - Returns all devices scanning the Internet from the CIDR block 8.0.0.0/8

• "cve:CVE-2021-30461" - Returns all devices associated with the supplied CVE

• "source_country:Iran" - Returns all results originating from Iran

• "destination_country:Ukraine single_destination:true" — Returns all results scanning in only Ukraine

Search GreyNoise data using GNQL (GreyNoise Query Language). Returns full IP context results including raw scan data.

GNQL is a domain-specific query language that uses Lucene deep under the hood.

Facets:

• "ip" - The IP address of the scanning device

• "classification" - Whether the device has been categorized as unknown, benign, or malicious

• "first_seen" / "last_seen" - Date the device was first/most recently observed

• "actor" - The benign actor the device has been associated with (Shodan, Censys, etc)

• "tags" - Tags assigned to the device over the past 90 days

• "cve" - CVEs associated with the device

• "vpn" / "vpn_service" / "bot" / "tor" - Boolean/string indicators

• "metadata.category" - Network category (business, isp, hosting, education, mobile)

• "metadata.source_country" / "metadata.source_country_code" - Source location

• "metadata.organization" / "metadata.asn" / "metadata.rdns" - Network info

• "raw_data.scan.port" / "raw_data.scan.protocol" - Scan targets

• "raw_data.web.paths" / "raw_data.web.useragents" - HTTP activity

• "raw_data.ja3.fingerprint" / "raw_data.hassh.fingerprint" - TLS/SSH fingerprints

Examples:

• "classification:malicious last_seen:1d" - Malicious IPs seen in last day

• "tags:Mirai" - Devices tagged as Mirai

• "raw_data.scan.port:445 metadata.os:Windows*" - Windows hosts scanning port 445

• "cve:CVE-2021-30461" - Devices associated with a CVE

• "source_country:Iran destination_country:Ukraine single_destination:true" - Targeted scanning

Results are paginated. Use the scroll parameter to retrieve additional pages.

Search GreyNoise data using GNQL, returning IP metadata without raw scan data. Lighter and faster than gnql-query.

Supports the same GNQL query syntax as gnql-query. Use this when you need IP classification, tags, and metadata but not raw scan details (ports, fingerprints, HTTP paths).

Supports CSV output format via the format parameter. Results are paginated.

Retrieve hourly GNQL records for a time range. Enables temporal analysis of IP activity matching any GNQL query (Recall).

Returns IP records bucketed by hour, useful for investigating when specific IPs were active and what they were doing.

Get the number of unique IPs matching a GNQL query per hour/day over a time range (Recall Stats).

Returns aggregated counts of unique IPs per time bucket, useful for trend analysis and understanding how scanning/attack activity changes over time.

Get detailed information about a specific CVE from GreyNoise

Get full metadata and connection details for a single GreyNoise sensor session by its ID. Returns source/destination IPs and ports, timestamps, byte/packet counts, classification, and any additional enrichment fields.

Download the raw PCAP capture for a single GreyNoise sensor session. Saves the binary PCAP file to a temporary directory and returns the file path. The file can be opened with Wireshark, tshark, or tcpdump.

Export a PCAP file containing packets from multiple GreyNoise sensor sessions matching query criteria. Saves the binary PCAP to a temporary directory and returns the file path. The file can be opened with Wireshark, tshark, or tcpdump.

Use Lucene query syntax to filter sessions (e.g., "destination.port:443", "source.ip:1.2.3.4").