Skip to main content

GreyNoise

This Integration is part of the GreyNoise Pack.#

GreyNoise is a cybersecurity platform that collects and analyzes Internet-wide scan and attack traffic. With this integration, users can contextualize existing alerts, filter false-positives, identify compromised devices, and track emerging threats. This integration was integrated and tested with version 3.0.0 of the GreyNoise SDK. Supported Cortex XSOAR versions: 6.0.0 and later.

Configure GreyNoise in Cortex#

ParameterDescriptionRequired
apikeyAPI KeyFalse
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#


Runs reputation on IPs.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipA comma-separated list of IPs.Required

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ReliabilityStringThe reliability of the data.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
GreyNoise.IP.addressstringThe IP address of the scanning device IP.
GreyNoise.IP.actorstringThe overt actor the device has been associated with.
GreyNoise.IP.botBooleanWhether the IP is associated with known bot activity or not. Common examples include credential stuffing, content scraping, or brute force attacks.
GreyNoise.IP.classificationstringWhether the device has been categorized as unknown, benign, or malicious.
GreyNoise.IP.cvearrayCVEs associated with IP.
GreyNoise.IP.first_seendateThe date the device was first observed by GreyNoise. Format is ISO8601.
GreyNoise.IP.foundbooleanWhether the IP was found in GreyNoise records.
GreyNoise.IP.last_seendateThe date the device was last observed by GreyNoise. Format is ISO8601.
GreyNoise.IP.last_seen_timestampstringThe timestamp when the device was last observed by GreyNoise.
GreyNoise.IP.metadata.asnstringThe autonomous system identification number.
GreyNoise.IP.metadata.carrierstringThe carrier information for the IP address.
GreyNoise.IP.metadata.categorystringWhether the device belongs to a business, isp, hosting, education, or mobile network.
GreyNoise.IP.metadata.citystringThe city the device is geographically located in.
GreyNoise.IP.metadata.countrystringThe full name of the country.
GreyNoise.IP.metadata.country_codestringThe two-character country code of the country.
GreyNoise.IP.metadata.datacenterstringThe datacenter information for the IP address.
GreyNoise.IP.metadata.destination_asnsarrayThe list of ASNs targeted by scanning.
GreyNoise.IP.metadata.destination_citiesarrayThe list of cities targeted by scanning.
GreyNoise.IP.metadata.destination_countriesarrayThe list of countries targeted by scanning.
GreyNoise.IP.metadata.destination_country_codesarrayThe list of country codes targeted by scanning.
GreyNoise.IP.metadata.domainstringThe domain associated with the IP address.
GreyNoise.IP.metadata.latitudenumberThe latitude coordinate of the IP address location.
GreyNoise.IP.metadata.longitudenumberThe longitude coordinate of the IP address location.
GreyNoise.IP.metadata.mobilebooleanWhether the device is on a mobile network.
GreyNoise.IP.metadata.organizationstringThe organization that owns the network that the IP address belongs to.
GreyNoise.IP.metadata.osstringThe name of the operating system of the device.
GreyNoise.IP.metadata.rdnsstringReverse DNS lookup of the IP address.
GreyNoise.IP.metadata.rdns_parentstringThe parent domain of the reverse DNS lookup.
GreyNoise.IP.metadata.rdns_validatedbooleanWhether the reverse DNS lookup has been validated.
GreyNoise.IP.metadata.regionstringThe full name of the region the device is geographically located in.
GreyNoise.IP.metadata.sensor_countnumberThe number of sensors that observed activity from this IP.
GreyNoise.IP.metadata.sensor_hitsnumberThe number of sensors events recorded from this IP.
GreyNoise.IP.metadata.single_destinationbooleanWhether the IP targets a single destination.
GreyNoise.IP.metadata.source_citystringThe city where the IP is geographically located.
GreyNoise.IP.metadata.source_countrystringThe full name of the IP source country.
GreyNoise.IP.metadata.source_country_codestringThe country code of the IP source country.
GreyNoise.IP.metadata.torbooleanWhether the device is a known Tor exit node.
GreyNoise.IP.torbooleanWhether the device is a known Tor exit node.
GreyNoise.IP.raw_data.hassh.fingerprintstringHASSH hash fingerprint string.
GreyNoise.IP.raw_data.hassh.portnumberTCP port connection where the HASSH hash was identified.
GreyNoise.IP.raw_data.http.md5arrayMD5 hashes of HTTP requests made by the device.
GreyNoise.IP.raw_data.http.methodarrayHTTP methods used by the device.
GreyNoise.IP.raw_data.http.patharrayHTTP paths the device has been observed accessing.
GreyNoise.IP.raw_data.http.request_headerarrayHTTP request headers used by the device.
GreyNoise.IP.raw_data.http.useragentarrayHTTP user-agents the device has been observed using.
GreyNoise.IP.raw_data.ja3.fingerprintstringThe JA3 TLS/SSL fingerprint.
GreyNoise.IP.raw_data.ja3.portnumberThe corresponding TCP port for the given JA3 fingerprint.
GreyNoise.IP.raw_data.tls.ja4arrayJA4 TLS/SSL fingerprints.
GreyNoise.IP.raw_data.scan.portnumberThe port number(s) the devices has been observed scanning.
GreyNoise.IP.raw_data.scan.protocolstringThe protocol of the port the device has been observed scanning.
GreyNoise.IP.raw_data.source.bytesnumberThe number of bytes sent by the source.
GreyNoise.IP.raw_data.tls.cipherarrayTLS cipher suites used by the device.
GreyNoise.IP.raw_data.web.pathsarrayAny HTTP paths the device has been observed crawling the Internet for.
GreyNoise.IP.raw_data.web.useragentsarrayAny HTTP user-agents the device has been observed using while crawling the Internet.
GreyNoise.IP.seenbooleanWhether the IP is in record with GreyNoise.
GreyNoise.IP.spoofablebooleanWhether the ip is spoofable.
GreyNoise.IP.tags.categorystringThe category of the given tag.
GreyNoise.IP.tags.createddateThe date the tag was added to the GreyNoise system.
GreyNoise.IP.tags.descriptionstringA description of what the tag identifies.
GreyNoise.IP.tags.idstringThe unique id of the tag.
GreyNoise.IP.tags.intentionstringThe intention of the associated activity the tag identifies.
GreyNoise.IP.tags.namestringThe name of the tag.
GreyNoise.IP.tags.recommend_blockbooleanIndicates if IPs associated with this tag should be blocked.
GreyNoise.IP.tags.referencesstringA list of references used to create the tag.
GreyNoise.IP.tags.slugstringThe unique slug of the tag.
GreyNoise.IP.tags.updated_atdateThe date the tag was last updated.
GreyNoise.IP.vpnbooleanWhether the device is a VPN endpoint or not.
GreyNoise.IP.vpn_servicestringThe name of the VPN service provider of the device.
GreyNoise.IP.categorystringThe category of the business service.
GreyNoise.IP.descriptionstringDescription of the business service.
GreyNoise.IP.explanationstringExplanation of why the IP is considered a business service.
GreyNoise.IP.riotbooleanWhether the IP is a common business service.
GreyNoise.IP.last_updateddateWhen was the last time the business service information was updated.
GreyNoise.IP.namestringThe name of the business service.
GreyNoise.IP.referencestringReference link for the business service.
GreyNoise.IP.trust_levelstringIf the IP is a business service, how trustworthy is the IP.
IP.AddressstringIP address.
IP.ASNstringThe autonomous system name for the IP address.
IP.Geo.CountrystringThe country in which the IP address is located.
IP.Geo.DescriptionstringAdditional information about the location such as city and region.
IP.HostnamestringThe hostname that is mapped to IP address.
IP.Malicious.DescriptionstringA description explaining why the IP address was reported as malicious.
IP.Malicious.VendorstringThe vendor reporting the IP address as malicious.

Command Example#

!ip ip="64.39.108.148"

IP: 64.39.108.148 found with Reputation: Good#

GreyNoise Internet Scanner Intelligence Lookup#

IPInternet ScannerClassificationActorTagsSpoofableVPNBOTTorFirst SeenLast Seen Timestamp
64.39.108.148truebenignQualysQualys (benign - actor)truefalsefalsefalse2025-05-252025-05-25 09:28:51

IP: 64.39.108.148 found with Reputation: Good#

Belongs to Common Business Service: Qualys#

GreyNoise Business Service Intelligence Lookup#

IPBusiness ServiceCategoryNameTrust LevelDescriptionLast Updated
64.39.108.148truevulnerability_managementQualys1 - Reasonably IgnoreQualys Inc (Qualys) is a provider of cloud-based platform information security and compliance cloud solutions. The company's cloud platform offers private cloud platforms, private cloud platform appliances, public cloud integrations, and cloud agents.2025-06-26T13:10:55Z

greynoise-ip-quick-check#


Check whether a given IP address is "Internet background noise", or has been observed scanning or attacking devices across the Internet. Note: It checks against the last 60 days of Internet scanner data.

Base Command#

greynoise-ip-quick-check

Input#

Argument NameDescriptionRequired
ipList IP addresses to retrieve quick check about.Required

Context Output#

PathTypeDescription
GreyNoise.IP.addressstringThe IP address of the scanning device IP.
GreyNoise.IP.internet_scanner_intelligence.foundbooleanWhether the IP has been observed scanning the internet.
GreyNoise.IP.business_service_intelligence.foundbooleanWhether the IP is a common business service.
GreyNoise.IP.internet_scanner_intelligence.classificationstringIf the IP has been observed, what is the GreyNoise classification.
GreyNoise.IP.business_service_intelligence.trust_levelstringIf the IP is a business service, how trustworthy is the IP.

Command Example#

!greynoise-ip-quick-check ip="45.83.65.120,45.83.66.18"

Human Readable Output#

GreyNoise Quick IP Lookup Details#

IPInternet ScannerClassificationBusiness ServiceTrust Level
64.39.108.148truebenigntrue1

greynoise-query#


Get the information of IP based on the providence filters.

Base Command#

greynoise-query

Input#

Argument NameDescriptionRequired
last_seenThe date the device was most recently observed by GreyNoise. Example: 1d, 2d, 12h, or 1m.Optional
organizationThe organization that owns the network the IP address belongs to.Optional
classificationClassification of the device. Possible values: unknown, benign, malicious. Possible values are: unknown, benign, malicious.Optional
spoofableWhether the IP is spoofable or not. Possible values are: true, false. Default is false.Optional
actorThe actor the device has been associated with.Optional
cveA CVE to get scanning data about, example CVE-2021-12345.Optional
sizeMaximum amount of results to grab. Default is 10.Optional
advanced_queryGNQL query to filter records.
Note: It merges other arguments and takes higher precedence over the same argument if supplied.
Example:
malicious,
spoofable:false SSH Scanner,
spoofable:false classification:benign tags:POP3 Scanner cve:CVE-2010-0103.
Optional
next_tokenScroll token to paginate through results.Optional

Context Output#

PathTypeDescription
GreyNoise.IP.addressstringThe IP address of the scanning device IP.
GreyNoise.IP.business_service_intelligence.categorystringThe category of the business service.
GreyNoise.IP.business_service_intelligence.descriptionstringDescription of the business service.
GreyNoise.IP.business_service_intelligence.explanationstringExplanation of why the IP is considered a business service.
GreyNoise.IP.business_service_intelligence.foundbooleanWhether the IP is a common business service.
GreyNoise.IP.business_service_intelligence.last_updateddateWhen was the last time the business service information was updated.
GreyNoise.IP.business_service_intelligence.namestringThe name of the business service.
GreyNoise.IP.business_service_intelligence.referencestringReference link for the business service.
GreyNoise.IP.business_service_intelligence.trust_levelstringIf the IP is a business service, how trustworthy is the IP.
GreyNoise.IP.internet_scanner_intelligence.actorstringThe overt actor the device has been associated with.
GreyNoise.IP.internet_scanner_intelligence.botBooleanWhether the IP is associated with known bot activity or not. Common examples include credential stuffing, content scraping, or brute force attacks.
GreyNoise.IP.internet_scanner_intelligence.classificationstringWhether the device has been categorized as unknown, benign, or malicious.
GreyNoise.IP.internet_scanner_intelligence.cvearrayCVEs associated with IP.
GreyNoise.IP.internet_scanner_intelligence.first_seendateThe date the device was first observed by GreyNoise. Format is ISO8601.
GreyNoise.IP.internet_scanner_intelligence.foundbooleanWhether the IP was found in GreyNoise records.
GreyNoise.IP.internet_scanner_intelligence.last_seendateThe date the device was last observed by GreyNoise. Format is ISO8601.
GreyNoise.IP.internet_scanner_intelligence.last_seen_timestampstringThe timestamp when the device was last observed by GreyNoise.
GreyNoise.IP.internet_scanner_intelligence.metadata.asnstringThe autonomous system identification number.
GreyNoise.IP.internet_scanner_intelligence.metadata.carrierstringThe carrier information for the IP address.
GreyNoise.IP.internet_scanner_intelligence.metadata.categorystringWhether the device belongs to a business, isp, hosting, education, or mobile network.
GreyNoise.IP.internet_scanner_intelligence.metadata.citystringThe city the device is geographically located in.
GreyNoise.IP.internet_scanner_intelligence.metadata.countrystringThe full name of the country.
GreyNoise.IP.internet_scanner_intelligence.metadata.country_codestringThe two-character country code of the country.
GreyNoise.IP.internet_scanner_intelligence.metadata.datacenterstringThe datacenter information for the IP address.
GreyNoise.IP.internet_scanner_intelligence.metadata.destination_asnsarrayThe list of ASNs targeted by scanning.
GreyNoise.IP.internet_scanner_intelligence.metadata.destination_citiesarrayThe list of cities targeted by scanning.
GreyNoise.IP.internet_scanner_intelligence.metadata.destination_countriesarrayThe list of countries targeted by scanning.
GreyNoise.IP.internet_scanner_intelligence.metadata.destination_country_codesarrayThe list of country codes targeted by scanning.
GreyNoise.IP.internet_scanner_intelligence.metadata.domainstringThe domain associated with the IP address.
GreyNoise.IP.internet_scanner_intelligence.metadata.latitudenumberThe latitude coordinate of the IP address location.
GreyNoise.IP.internet_scanner_intelligence.metadata.longitudenumberThe longitude coordinate of the IP address location.
GreyNoise.IP.internet_scanner_intelligence.metadata.mobilebooleanWhether the device is on a mobile network.
GreyNoise.IP.internet_scanner_intelligence.metadata.organizationstringThe organization that owns the network that the IP address belongs to.
GreyNoise.IP.internet_scanner_intelligence.metadata.osstringThe name of the operating system of the device.
GreyNoise.IP.internet_scanner_intelligence.metadata.rdnsstringReverse DNS lookup of the IP address.
GreyNoise.IP.internet_scanner_intelligence.metadata.rdns_parentstringThe parent domain of the reverse DNS lookup.
GreyNoise.IP.internet_scanner_intelligence.metadata.rdns_validatedbooleanWhether the reverse DNS lookup has been validated.
GreyNoise.IP.internet_scanner_intelligence.metadata.regionstringThe full name of the region the device is geographically located in.
GreyNoise.IP.internet_scanner_intelligence.metadata.sensor_countnumberThe number of sensors that observed activity from this IP.
GreyNoise.IP.internet_scanner_intelligence.metadata.sensor_hitsnumberThe number of sensor events recorded from this IP.
GreyNoise.IP.internet_scanner_intelligence.metadata.single_destinationbooleanWhether the IP targets a single destination.
GreyNoise.IP.internet_scanner_intelligence.metadata.source_citystringThe city where the IP is geographically located.
GreyNoise.IP.internet_scanner_intelligence.metadata.source_countrystringThe full name of the IP source country.
GreyNoise.IP.internet_scanner_intelligence.metadata.source_country_codestringThe country code of the IP source country.
GreyNoise.IP.internet_scanner_intelligence.torbooleanWhether the device is a known Tor exit node.
GreyNoise.IP.internet_scanner_intelligence.raw_data.hassh.fingerprintstringHASSH hash fingerprint string.
GreyNoise.IP.internet_scanner_intelligence.raw_data.hassh.portnumberTCP port connection where the HASSH hash was identified.
GreyNoise.IP.internet_scanner_intelligence.raw_data.http.md5arrayMD5 hashes of HTTP requests made by the device.
GreyNoise.IP.internet_scanner_intelligence.raw_data.http.methodarrayHTTP methods used by the device.
GreyNoise.IP.internet_scanner_intelligence.raw_data.http.patharrayHTTP paths the device has been observed accessing.
GreyNoise.IP.internet_scanner_intelligence.raw_data.http.request_headerarrayHTTP request headers used by the device.
GreyNoise.IP.internet_scanner_intelligence.raw_data.http.useragentarrayHTTP user-agents the device has been observed using.
GreyNoise.IP.internet_scanner_intelligence.raw_data.ja3.fingerprintstringThe JA3 TLS/SSL fingerprint.
GreyNoise.IP.internet_scanner_intelligence.raw_data.ja3.portnumberThe corresponding TCP port for the given JA3 fingerprint.
GreyNoise.IP.internet_scanner_intelligence.raw_data.scan.portnumberThe port number(s) the device has been observed scanning.
GreyNoise.IP.internet_scanner_intelligence.raw_data.scan.protocolstringThe protocol of the port the device has been observed scanning.
GreyNoise.IP.internet_scanner_intelligence.raw_data.source.bytesnumberThe number of bytes sent by the source.
GreyNoise.IP.internet_scanner_intelligence.raw_data.tls.cipherarrayTLS cipher suites used by the device.
GreyNoise.IP.internet_scanner_intelligence.raw_data.tls.ja4arrayJA4 TLS/SSL fingerprints.
GreyNoise.IP.internet_scanner_intelligence.raw_data.web.pathsarrayAny HTTP paths the device has been observed crawling the Internet for.
GreyNoise.IP.internet_scanner_intelligence.raw_data.web.useragentsarrayAny HTTP user-agents the device has been observed using while crawling the Internet.
GreyNoise.IP.internet_scanner_intelligence.seenbooleanWhether the IP is in record with GreyNoise.
GreyNoise.IP.internet_scanner_intelligence.spoofablebooleanWhether the ip is spoofable.
GreyNoise.IP.internet_scanner_intelligence.tags.categorystringThe category of the given tag.
GreyNoise.IP.internet_scanner_intelligence.tags.createddateThe date the tag was added to the GreyNoise system.
GreyNoise.IP.internet_scanner_intelligence.tags.descriptionstringA description of what the tag identifies.
GreyNoise.IP.internet_scanner_intelligence.tags.idstringThe unique id of the tag.
GreyNoise.IP.internet_scanner_intelligence.tags.intentionstringThe intention of the associated activity the tag identifies.
GreyNoise.IP.internet_scanner_intelligence.tags.namestringThe name of the tag.
GreyNoise.IP.internet_scanner_intelligence.tags.recommend_blockbooleanIndicates if IPs associated with this tag should be blocked.
GreyNoise.IP.internet_scanner_intelligence.tags.referencesstringA list of references used to create the tag.
GreyNoise.IP.internet_scanner_intelligence.tags.slugstringThe unique slug of the tag.
GreyNoise.IP.internet_scanner_intelligence.tags.updated_atdateThe date the tag was last updated.
GreyNoise.IP.internet_scanner_intelligence.vpnbooleanWhether the device is a VPN endpoint or not.
GreyNoise.IP.internet_scanner_intelligence.vpn_servicestringThe name of the VPN service provider of the device.
GreyNoise.Query.completebooleanWhether all results have been fetched or not.
GreyNoise.Query.countnumberCount of the total matching records.
GreyNoise.Query.messagestringMessage from the API response.
GreyNoise.Query.querystringQuery which was used to filter the records.
GreyNoise.Query.scrollstringScroll token to paginate through results.

Command Example#

!greynoise-query advanced_query=ip:64.39.108.148 spoofable=true

Human Readable Output#

GreyNoise Internet Scanner Intelligence#

Total findings: 1#

Query: (ip:64.39.108.148 spoofable:true) last_seen:90d#

GreyNoise Internet Scanner Intelligence#

IPInternet ScannerClassificationActorTagsSpoofableVPNBOTTorFirst SeenLast Seen Timestamp
64.39.108.148truebenignQualysQualys (benign - actor)truefalsefalsefalse2025-05-252025-05-25 09:28:51

To view the detailed query result please click here.

greynoise-stats#


Get aggregate statistics for the top organizations, actors, tags, ASNs, countries, classifications, and operating systems of all the results of a given GNQL query.

Base Command#

greynoise-stats

Input#

Argument NameDescriptionRequired
classificationClassification of the device like unknown, benign, malicious. Possible values are: unknown, benign, malicious.Optional
spoofableWhether the IP is spoofable or not. Possible values are: true, false.Optional
actorThe benign actor the device has been associated with.Optional
sizeMaximum amount of results to grab. Default is 10.Optional
advanced_queryGNQL query to filter records. Note: It merges other arguments and takes higher precedence over the same argument if supplied. Example: malicious, spoofable:false SSH Scanner, spoofable:false classification:benign tags:POP3 Scanner cve:CVE-2010-0103.Optional
last_seenThe date the device was most recently observed by GreyNoise. Example: 1d, 2d, 12h, or 1m.Optional
organizationThe organization that owns the network that the IP address belongs to.Optional

Context Output#

PathTypeDescription
GreyNoise.Stats.adjusted_querystringProvides the adjusted query, if the submitted one could not be executed as-is.
GreyNoise.Stats.querystringThe query which was used to filter the records.
GreyNoise.Stats.countnumberCount of total aggregated records.
GreyNoise.Stats.stats.classifications.classificationstringClassification name.
GreyNoise.Stats.stats.classifications.countnumberClassification count.
GreyNoise.Stats.stats.spoofable.spoofablebooleanWhether records are spoofable or not.
GreyNoise.Stats.stats.spoofable.countnumberSpoofable count.
GreyNoise.Stats.stats.organizations.organizationstringOrganization name.
GreyNoise.Stats.stats.organizations.countnumberOrganization count.
GreyNoise.Stats.stats.actors.actorstringActor name.
GreyNoise.Stats.stats.actors.countnumberActor count.
GreyNoise.Stats.stats.countries.countrystringCountry name.
GreyNoise.Stats.stats.countries.countnumberCountry count.
GreyNoise.Stats.stats.source_countries.countrystringCountry name.
GreyNoise.Stats.stats.source_countries.countnumberCountry count.
GreyNoise.Stats.stats.destination_countries.countrystringCountry name.
GreyNoise.Stats.stats.destination_countries.countnumberCountry count.
GreyNoise.Stats.stats.tags.tagstringTag name.
GreyNoise.Stats.stats.tags.idstringTag ID.
GreyNoise.Stats.stats.tags.countnumberTag count.
GreyNoise.Stats.stats.operating_systems.operating_systemstringOperating system name.
GreyNoise.Stats.stats.operating_systems.countnumberOperating system count.
GreyNoise.Stats.stats.categories.categorystringCategory name.
GreyNoise.Stats.stats.categories.countnumberCategory count.
GreyNoise.Stats.stats.asns.asnstringAsn name.
GreyNoise.Stats.stats.asns.countnumberAsn count.

Command Example#

!greynoise-stats spoofable=true size=2 advanced_query="spoofable:false

Human Readable Output#

GreyNoise Internet Scanner Intelligence#

Stats Query#

Total IP Count: 489889#

Classifications#

ClassificationCount
unknown248634
malicious127595
suspicious103741
benign9919

Spoofable#

SpoofableCount
False489889

Organizations#

OrganizationCount
Mobile Communication Company of Iran PLC58005
National Internet Backbone30561
CHINA UNICOM China169 Backbone26144
CHINANET-BACKBONE19036
Iran Telecommunication Company PJS17789
Iran Cell Service and Communication Company17343
Cloudflare, Inc.13137
DigitalOcean, LLC8490
Telecom International Myanmar Co., Ltd5160

Actors#

ActorCount
Stretchoid2008
Cortex Xpanse1983
GoogleBot1142
Alpha Strike Labs1018
ShadowServer.org983
Bytespider896
BinaryEdge.io756
Driftnet609
ONYPHE576

Source Countries#

CountryCount
Iran106580
China58763
India48230
United States32369
Russia14796
Myanmar12047
Germany11446
Singapore7643
Brazil6892

Destination Countries#

CountryCount
United States407724
India271246
Singapore241697
United Kingdom162690
Germany133679
Japan124237
Spain121176
Canada108688
Mexico104668
France103558

Tags#

TagCount
Web Crawler177741
TLS/SSL Crawler157135
Telnet Login Attempt63236
SSH Connection Attempt62197
SMBv1 Crawler62062
Telnet Bruteforcer58469
Go HTTP Client53544
Generic IoT Default Password Attempt40313
Mirai33110
Mirai TCP Scanner30260

Categories#

CategoryCount
isp307235
hosting86812
business6373
education952
government421

ASNs#

ASNCount
AS19720758005
AS982930561
AS483726144
AS413419036
AS5822417789
AS4424417343
AS1333513100
AS140618490
AS1362555160

greynoise-riot#


Identifies IPs from known benign services and organizations that commonly cause false positives in network security and threat intelligence products. The collection of IPs in RIOT is continually curated and verified to provide accurate results. These IPs are extremely unlikely to pose a threat to your network.

Base Command#

greynoise-riot

Input#

Argument NameDescriptionRequired
ipThe IP address to be checked if it is potentially harmful or not.Required

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ReliabilityStringThe reliability of the data.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
GreyNoise.IP.categoryStringThe category of the IP if riot is "True".
GreyNoise.IP.classificationStringThe classification of the IP if riot is "True".
GreyNoise.IP.descriptionStringThe description of the IP if riot is "True".
GreyNoise.IP.explanationStringThe explanation of the IP if riot is "True".
GreyNoise.IP.foundStringIndicates if the IP is business service.
GreyNoise.IP.last_updatedDateWhen was the last time the business service information was updated.
GreyNoise.IP.ipStringThe IP to query.
GreyNoise.IP.nameStringThe name of the IP if the riot is "True".
GreyNoise.IP.referenceStringThe reference of the IP if riot is "True".
GreyNoise.IP.riotStringIndicates if the IP is business service.
GreyNoise.IP.trust_levelStringThe trust level of the IP if riot is "True".

Example Command#

!greynoise-riot ip="64.39.108.148"

Human Readable Output#

IP: 64.39.108.148 found with Reputation: Good#

Belongs to Common Business Service: Qualys#

GreyNoise Business Service Intelligence Lookup#

IPBusiness ServiceCategoryNameTrust LevelDescriptionLast Updated
64.39.108.148truevulnerability_managementQualys1 - Reasonably IgnoreQualys Inc (Qualys) is a provider of cloud-based platform information security and compliance cloud solutions. The company's cloud platform offers private cloud platforms, private cloud platform appliances, public cloud integrations, and cloud agents.2025-06-26T13:10:55Z

greynoise-context#


Identifies IPs that have been observed mass-scanning the internet.

Base Command#

greynoise-context

Input#

Argument NameDescriptionRequired
ipThe IP address to query in GreyNoise Context Command.Required

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ReliabilityStringThe reliability of the data.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
GreyNoise.IP.addressstringThe IP address of the scanning device IP.
GreyNoise.IP.actorstringThe overt actor the device has been associated with.
GreyNoise.IP.botBooleanWhether the IP is associated with known bot activity or not. Common examples include credential stuffing, content scraping, or brute force attacks.
GreyNoise.IP.classificationstringWhether the device has been categorized as unknown, benign, or malicious.
GreyNoise.IP.cvearrayCVEs associated with IP.
GreyNoise.IP.first_seendateThe date the device was first observed by GreyNoise. Format is ISO8601.
GreyNoise.IP.foundbooleanWhether the IP was found in GreyNoise records.
GreyNoise.IP.last_seendateThe date the device was last observed by GreyNoise. Format is ISO8601.
GreyNoise.IP.last_seen_timestampstringThe timestamp when the device was last observed by GreyNoise.
GreyNoise.IP.metadata.asnstringThe autonomous system identification number.
GreyNoise.IP.metadata.carrierstringThe carrier information for the IP address.
GreyNoise.IP.metadata.categorystringWhether the device belongs to a business, isp, hosting, education, or mobile network.
GreyNoise.IP.metadata.citystringThe city the device is geographically located in.
GreyNoise.IP.metadata.countrystringThe full name of the country.
GreyNoise.IP.metadata.country_codestringThe two-character country code of the country.
GreyNoise.IP.metadata.datacenterstringThe datacenter information for the IP address.
GreyNoise.IP.metadata.destination_asnsarrayThe list of ASNs targeted by scanning.
GreyNoise.IP.metadata.destination_citiesarrayThe list of cities targeted by scanning.
GreyNoise.IP.metadata.destination_countriesarrayThe list of countries targeted by scanning.
GreyNoise.IP.metadata.destination_country_codesarrayThe list of country codes targeted by scanning.
GreyNoise.IP.metadata.domainstringThe domain associated with the IP address.
GreyNoise.IP.metadata.latitudenumberThe latitude coordinate of the IP address location.
GreyNoise.IP.metadata.longitudenumberThe longitude coordinate of the IP address location.
GreyNoise.IP.metadata.mobilebooleanWhether the device is on a mobile network.
GreyNoise.IP.metadata.organizationstringThe organization that owns the network that the IP address belongs to.
GreyNoise.IP.metadata.osstringThe name of the operating system of the device.
GreyNoise.IP.metadata.rdnsstringReverse DNS lookup of the IP address.
GreyNoise.IP.metadata.rdns_parentstringThe parent domain of the reverse DNS lookup.
GreyNoise.IP.metadata.rdns_validatedbooleanWhether the reverse DNS lookup has been validated.
GreyNoise.IP.metadata.regionstringThe full name of the region the device is geographically located in.
GreyNoise.IP.metadata.sensor_countnumberThe number of sensors that observed activity from this IP.
GreyNoise.IP.metadata.sensor_hitsnumberThe number of sensor events recorded from this IP.
GreyNoise.IP.metadata.single_destinationbooleanWhether the IP targets a single destination.
GreyNoise.IP.metadata.source_citystringThe city where the IP is geographically located.
GreyNoise.IP.metadata.source_countrystringThe full name of the IP source country.
GreyNoise.IP.metadata.source_country_codestringThe country code of the IP source country.
GreyNoise.IP.metadata.torbooleanWhether the device is a known Tor exit node.
GreyNoise.IP.torbooleanWhether the device is a known Tor exit node.
GreyNoise.IP.raw_data.hassh.fingerprintstringHASSH hash fingerprint string.
GreyNoise.IP.raw_data.hassh.portnumberTCP port connection where the HASSH hash was identified.
GreyNoise.IP.raw_data.http.md5arrayMD5 hashes of HTTP requests made by the device.
GreyNoise.IP.raw_data.http.methodarrayHTTP methods used by the device.
GreyNoise.IP.raw_data.http.patharrayHTTP paths the device has been observed accessing.
GreyNoise.IP.raw_data.http.request_headerarrayHTTP request headers used by the device.
GreyNoise.IP.raw_data.http.useragentarrayHTTP user-agents the device has been observed using.
GreyNoise.IP.raw_data.ja3.fingerprintstringThe JA3 TLS/SSL fingerprint.
GreyNoise.IP.raw_data.ja3.portnumberThe corresponding TCP port for the given JA3 fingerprint.
GreyNoise.IP.raw_data.tls.ja4arrayJA4 TLS/SSL fingerprints.
GreyNoise.IP.raw_data.scan.portnumberThe port number(s) the device has been observed scanning.
GreyNoise.IP.raw_data.scan.protocolstringThe protocol of the port the device has been observed scanning.
GreyNoise.IP.raw_data.source.bytesnumberThe number of bytes sent by the source.
GreyNoise.IP.raw_data.tls.cipherarrayTLS cipher suites used by the device.
GreyNoise.IP.raw_data.tls.ja4arrayJA4 TLS/SSL fingerprints.
GreyNoise.IP.raw_data.web.pathsarrayAny HTTP paths the device has been observed crawling the Internet for.
GreyNoise.IP.raw_data.web.useragentsarrayAny HTTP user-agents the device has been observed using while crawling the Internet.
GreyNoise.IP.seenbooleanWhether the IP is in record with GreyNoise.
GreyNoise.IP.spoofablebooleanWhether the ip is spoofable.
GreyNoise.IP.tags.categorystringThe category of the given tag.
GreyNoise.IP.tags.createddateThe date the tag was added to the GreyNoise system.
GreyNoise.IP.tags.descriptionstringA description of what the tag identifies.
GreyNoise.IP.tags.idstringThe unique id of the tag.
GreyNoise.IP.tags.intentionstringThe intention of the associated activity the tag identifies.
GreyNoise.IP.tags.namestringThe name of the tag.
GreyNoise.IP.tags.recommend_blockbooleanIndicates if IPs associated with this tag should be blocked.
GreyNoise.IP.tags.referencesstringA list of references used to create the tag.
GreyNoise.IP.tags.slugstringThe unique slug of the tag.
GreyNoise.IP.tags.updated_atdateThe date the tag was last updated.
GreyNoise.IP.vpnbooleanWhether the device is a VPN endpoint or not.
GreyNoise.IP.vpn_servicestringThe name of the VPN service provider of the device.

Example Command#

!greynoise-context ip="114.119.130.178"

Human Readable Output#

IP: 64.39.108.148 found with Reputation: Good#

GreyNoise Internet Scanner Intelligence Lookup#

IPInternet ScannerClassificationActorTagsSpoofableVPNBOTTorFirst SeenLast Seen Timestamp
64.39.108.148truebenignQualysQualys (benign - actor)truefalsefalsefalse2025-05-252025-05-25 09:28:51

greynoise-similarity#


Identify IPs with a similar internet scanning profile.

Base Command#

greynoise-similarity

Input#

Argument NameDescriptionRequired
ipThe IP address to find similar IPs forRequired
minimum_scoreThe similar score to return results above. Valid from 85 to 100. Default is 90.Optional
maximum_resultsThe maximum number of similar results to return. Default is 50.Optional

Context Output#

PathTypeDescription
GreyNoise.Similar.ipstringThe IP address of the scanning device IP.
GreyNoise.Similar.first_seendateThe date the device was first observed by GreyNoise. Format is ISO8601.
GreyNoise.Similar.last_seendateThe date the device was last observed by GreyNoise. Format is ISO8601.
GreyNoise.Similar.actorstringThe overt actor the device has been associated with.
GreyNoise.Similar.classificationstringWhether the device has been categorized as unknown, benign, or malicious.
GreyNoise.Similar.asnstringThe autonomous system identification number.
GreyNoise.Similar.citystringThe city the device is geographically located in.
GreyNoise.Similar.countrystringThe full name of the country.
GreyNoise.Similar.country_codestringThe two-character country code of the country.
GreyNoise.Similar.organizationstringThe organization that owns the network that the IP address belongs to.
GreyNoise.Similar.similar_ipsarrayDetails of similar IPs

Command Example#

!greynoise-similarity ip="1.2.3.4" minimum_score="90" maximum_results="50"

Human Readable Output - Results#

IP: 59.88.225.2 - Similar Internet Scanners found in GreyNoise Total Similar IPs with Score above 90%: 100 Displaying 50 results below. To see all results, visit the GreyNoise Visualizer. GreyNoise Similar IPs

IPScoreClassificationActorOrganizationLast SeenSimilarity Features
1.2.3.4100maliciousunknownGoogleBot2023-04-05ports,spoofable_bool

!greynoise-similarity ip="114.119.130.178"

Human Readable Output - No Results#

GreyNoise Similarity Lookup returned No Results.

greynoise-timeline#


Get timeline activity for an IP address.

Base Command#

greynoise-timeline

Input#

Argument NameDescriptionRequired
ipThe IP address to get timeline activity forRequired
daysThe number of days from today to get activity. Valid from 1 to 90. Default is 30.Optional
maximum_resultsThe maximum number of similar results to return. Default is 50.Optional

Context Output#

PathTypeDescription
GreyNoise.Timeline.ipstringThe IP address of the scanning device IP.
GreyNoise.Timeline.metadata.start_timedateThe start time of the activity period
GreyNoise.Timeline.metadata.end_timedateThe end time of the activity period
GreyNoise.Timeline.metadata.limitstringLimit of activity events returned
GreyNoise.Timeline.metadata.next_cursorstringCursor value to pull next page of results
GreyNoise.Timeline.activityarrayDaily activity summaries

Command Example#

!greynoise-timeline ip="1.1.2.2" days="30" maximum_results="30"

Human Readable Output - Results#

IP: 45.164.214.212 - GreyNoise IP Timeline Internet Scanner Timeline Details - Daily Activity Summary

DateClassificationTagsrDNSOrganizationASNPortsWeb PathsUser Agents
1.2.3.4maliciousBruteForcerme.acme.lclAcme, IncAS12345ports,spoofable_bool/root/homeMozillaFirefox

Human Readable Output - No Results#

GreyNoise IP Timeline Returned No Results.

cve#


Queries GreyNoise for CVE Vuln Intelligence.

Base Command#

cve

Input#

Argument NameDescriptionRequired
cveA comma-separated list of CVE IDs.Required

Context Output#

PathTypeDescription
CVE.IDstringCVE ID.
GreyNoise.CVE.details.vulnerability_nameStringThe vulnerability name.
GreyNoise.CVE.details.vulnerability_descriptionStringA description of the vulnerability.
GreyNoise.CVE.details.cve_cvss_scoreNumberThe CVSS score.
GreyNoise.CVE.details.productStringThe vulnerable product.
GreyNoise.CVE.details.vendorStringThe vendor that produces the vulnerable product.
GreyNoise.CVE.details.published_to_nist_nvdBooleanIs this CVE published to NIST NVD?
GreyNoise.CVE.timeline.cve_published_dateDateWhen was the CVE published.
GreyNoise.CVE.timeline.cve_last_updated_dateDateWhen was the CVE information last updated.
GreyNoise.CVE.timeline.first_known_published_dateDateWhen first exploit associated with CVE was published.
GreyNoise.CVE.timeline.cisa_kev_date_addedDateWhen the CVE was added to KEV.
GreyNoise.CVE.exploitation_details.attack_vectorStringThe attack vector category.
GreyNoise.CVE.exploitation_details.exploit_foundBooleanWhether any known exploits are available.
GreyNoise.CVE.exploitation_details.exploitation_registered_in_kevBooleanWhether exploitation has been registered in KEV database.
GreyNoise.CVE.exploitation_details.epss_scoreNumberEPSS score associated with this exploitation (Exploit Prediction Scoring System).
GreyNoise.CVE.exploitation_stats.number_of_available_exploitsNumberThe total number of exploits available (public + commercial).
GreyNoise.CVE.exploitation_stats.number_of_threat_actors_exploiting_vulnerabilityNumberThe total number of known threat actors.
GreyNoise.CVE.exploitation_stats.number_of_botnets_exploiting_vulnerabilityNumberThe total number of botnets.
GreyNoise.CVE.exploitation_activity.activity_seenBooleanWhether GreyNoise has seen activity.
GreyNoise.CVE.exploitation_activity.benign_ip_count_1dNumberThe total number of benign IP addresses GreyNoise has seen exercising (Scanning or Exploiting) this vulnerability in the last day.
GreyNoise.CVE.exploitation_activity.benign_ip_count_10dNumberThe total number of benign IP addresses GreyNoise has seen exercising (Scanning or Exploiting) this vulnerability in the last 10 days.
GreyNoise.CVE.exploitation_activity.benign_ip_count_30dNumberThe total number of benign IP addresses GreyNoise has seen exercising (Scanning or Exploiting) this vulnerability in the last 30 days.
GreyNoise.CVE.exploitation_activity.threat_ip_count_1dNumberThe total number of threat IP addresses GreyNoise has seen exercising (Scanning or Exploiting) this vulnerability in the last day.
GreyNoise.CVE.exploitation_activity.threat_ip_count_10dNumberThe total number of threat IP addresses GreyNoise has seen exercising (Scanning or Exploiting) this vulnerability in the last 10 days.
GreyNoise.CVE.exploitation_activity.threat_ip_count_30dNumberThe total number of threat IP addresses GreyNoise has seen exercising (Scanning or Exploiting) this vulnerability in the last 30 days.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.

Example Command#

!cve cve="CVE-2021-26086"

Human Readable Output#

CVE: CVE-2021-26086 is found#

GreyNoise CVE Lookup#

CVE IDCVSSVendorProductPublished to NVD
CVE-2021-260865.3AtlassianJira Server and Data Centertrue

Timeline Details#

Added to KevLast UpdatedCVE PublishedFirst Published
2024-11-122025-02-092021-08-162023-11-18

Exploitation Details#

Attack VectorEPSS Base ScoreExploit FoundExploit Registered in KEV
NETWORK0.94247truetrue

Exploitation Stats#

# of Available Exploits# of Botnets Exploiting# of Threat Actors Exploiting
411

Exploitation Activity - GreyNoise Insights#

GreyNoise Observed Activity# of Benign IPs - Last Day# of Benign IPs - Last 10 Days# of Benign IPs - Last 30 Days# of Threat IPs - Last Day# of Threat IPs - Last 10 Days# of Threat IPs - Last 30 Days
true141515126164261