As we roll through the summer, GreyNoise is back from its July two-week shutdown with a bunch of fresh new improvements, including 63 new tags and a bunch of exciting new data insights for our customers to explore in our Labs API.  We’ve also updated our integrations to add support for our IP Similarity and Timeline for our Palo Alto customers.

New: Explore C2 Data, HTTP activity, and more with our Labs Beta API

We’re excited to announce the availability of our Labs API. The Labs Beta API is a data source derived from the GreyNoise sensors and platform specifically designed to uncover insights our users may find intriguing and to facilitate exciting data explorations related to emerging threats.  These APIs are in beta today; however we welcome feedback that will improve the quality of our data and suggestions on how we can add them to our product.  Here are some of the datasets you can explore today:


Access the top 10% of possible Command and Control (C2) IP addresses, ranked by their pervasiveness, observed by GreyNoise over the previous 24 hours. Use this query to identify second-stage IP addresses that might be involved in malicious activities following the reconnaissance and initial access stages. 


Access the top 1% of HTTP requests, ranked by their pervasiveness, observed by GreyNoise over the last seven days. Gain insights into the background radiation of the internet, exploring the patterns and trends of HTTP requests.   


Access the top 1% of IPs searched in GreyNoise, ordered by the number of users observed searching over the last 7 days. Understand commonalities in how users search within GreyNoise, gaining insights into popular IPs and their associated activities. This query uses a minimum number of IP submissions and users to build consensus before an IP can be considered available in this dataset.


Access the top 1% of IPs by their noise score for the last 7 days. This score is determined by comparing the pervasiveness of the number of sensors and countries that observed packets from the IP, the request rate, and the diversity of payloads and ports for which the packets were observed.  This query is intended to help rank the top noise makers compared to the quiet single-hit scanners. 

Enhancement: Create an Alert for a Tag From the Tags Action Panel

We’ve added a “Create Alert” button in the Action panel on the Tag details page to make it easy to create an alert. GreyNoise users can use this to monitor scanning activity directly from the Tags page, informing them of any new IPs scanning for tags they are interested in.

Enhancement: Copy/Search Fields On IP Details

There is now a Copy/Search button in fields on the IP details page. The previous behavior did not allow users to copy the values in the fields.

You can access the Copy/Search buttons by hovering over fields such as Ports Scanned, Country, OS in the IP Details pages.

Enhancement: Analysis File Size Increased to 4MB

Previously, the Analysis Feature only accepted inputs up to 2MB.  We've increased this to 4MB, so that customers can submit larger files without getting an error. 

New and Updated Integrations

Palo Alto XSOAR (Demisto) Improvements: IP Similarity and IP Timeline Support

We updated our Palo Alto XSOAR support to include our IP Similarity and IP Timeline features, allowing users to easily find similar IP addresses, or review GreyNoise’s classification history on an IP.

To learn more about using the XSOAR Demisto enhancements for IP Similarity and Timeline, you can check out our documentation.

Tags Coverage Enhancements

In June & July, GreyNoise added 63 new tags:

56 malicious activity tags

2 benign actor tags

5 unknown tags

All GreyNoise users can monitor scanning activity we’ve seen for a tag by creating an alert informing them of any new IPs scanning for tags they are interested in.

Notable Security Research and Detection Engineering Blogs:

Don't have a GreyNoise account? Sign-up for free.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account