User Guide

Synapse-GreyNoise User Guide

Synapse-GreyNoise adds new Storm commands to allow you to query the GreyNoise API using your existing API key.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> greynoise.setup.apikey --self myapikey
Setting Synapse-GreyNoise API key for the current user.

Enrich an `inet:ipv4` with data from the GreyNoise Community API

The GreyNoise Community API does not require an API key and can be used to enrich inet:ipv4 nodes with a subset of the IP context available:

> [ inet:ipv4=8.8.8.8 ] | greynoise.community.ip
inet:ipv4=8.8.8.8
        .created = 2026/04/24 20:26:27.406
        .seen = ('2021/09/28 00:00:00.000', '2021/09/28 00:00:00.001')
        :_greynoise:class = benign
        :_greynoise:name = google public dns
        :_greynoise:noise = false
        :_greynoise:riot = true
        :_greynoise:seen = ('2021/09/28 00:00:00.000', '2021/09/28 00:00:00.001')
        :type = unicast

Enrich an `inet:ipv4` with data from the GreyNoise Quick Check API

> [ inet:ipv4=8.8.8.8 ] | greynoise.quickcheck
inet:ipv4=8.8.8.8
        .created = 2026/04/24 20:26:27.406
        .seen = ('2021/09/28 00:00:00.000', '2021/09/28 00:00:00.001')
        :_greynoise:class = benign
        :_greynoise:name = google public dns
        :_greynoise:noise = false
        :_greynoise:riot = true
        :_greynoise:seen = ('2021/09/28 00:00:00.000', '2021/09/28 00:00:00.001')
        :type = unicast

Enrich an `inet:ipv4` with data from the GreyNoise IP Lookup API

The greynoise.enrich command queries the full GreyNoise IP Lookup API. By default it performs a quick check first and only performs the full lookup if the IP is found in the GreyNoise dataset:

> [ inet:ipv4=8.8.8.8 ] | greynoise.enrich
inet:ipv4=8.8.8.8
        .created = 2026/04/24 20:26:27.406
        .seen = ('2021/09/28 00:00:00.000', '2021/09/28 00:00:00.001')
        :_greynoise:category = public_dns
        :_greynoise:class =
        :_greynoise:name = google public dns
        :_greynoise:noise = false
        :_greynoise:riot = true
        :_greynoise:seen = ('2021/09/28 00:00:00.000', '2021/09/28 00:00:00.001')
        :_greynoise:trust = 1
        :_greynoise:updated = 2026/04/17 13:11:06.000
        :type = unicast

Use a GNQL query to search

A GNQL query can be used to search the GreyNoise dataset:

> greynoise.gnql.search --size 1 "classification:malicious last_seen:1d"
inet:ipv4=4.186.56.66
        .created = 2026/04/24 20:26:27.513
        .seen = ('2025/12/08 00:00:00.000', '2026/04/17 00:00:00.001')
        :_greynoise:category = hosting
        :_greynoise:class = malicious
        :_greynoise:name =
        :_greynoise:noise = true
        :_greynoise:orgname = microsoft corporation
        :_greynoise:riot = false
        :_greynoise:seen = ('2025/12/08 00:00:00.000', '2026/04/17 00:00:00.001')
        :asn = 8075
        :loc = in.maharashtra.pune
        :type = unicast
        #rep.greynoise.carries_http_referer
        #rep.greynoise.connectwise_screenconnect_auth_bypass_check
        #rep.greynoise.crushftp_scanner
        #rep.greynoise.cve_2020_2034
        #rep.greynoise.cve_2024_1709
        #rep.greynoise.cve_2025_55182
        #rep.greynoise.cve_2025_66478
        #rep.greynoise.f5_big_ip_crawler
        #rep.greynoise.fortinet_forticlient_ems_api_auth_bypass_check
        #rep.greynoise.generic_suspicious_linux_command_in_request
        #rep.greynoise.go_http_client
        #rep.greynoise.ivanti_connect_secure_ics_scanner
        #rep.greynoise.outlook_web_access_crawler
        #rep.greynoise.outlook_web_access_login_crawler
        #rep.greynoise.palo_alto_networks_pan_os_cve_2020_2034_crawler
        #rep.greynoise.pulse_secure_vpn_scanner
        #rep.greynoise.react_server_components_unsafe_deserialization_cve_2025_55182_rce_attempt
        #rep.greynoise.sophos_xg_firewall_user_portal_scanner
        #rep.greynoise.tls_ssl_crawler
        #rep.greynoise.web_crawler
        #rep.greynoise.wordpress_enumeration

More information on building GNQL queries can be found in the GreyNoise API documentation

Check API key status

Display information about the API key in use:

> greynoise.status
expiration: 2021-10-07
message: pong
offering: enterprise_trial

Use of `meta:source` nodes

Synapse-GreyNoise uses a meta:source node and -(seen)> light weight edges to track nodes observed from the GreyNoise API.

> meta:source=510adcbf0dd722f1395232ef5647ed61
meta:source=510adcbf0dd722f1395232ef5647ed61
        .created = 2026/04/24 20:26:27.420
        :name = greynoise api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-GreyNoise. The following example shows how to filter the results of a query to include only results observed by Synapse-GreyNoise:

> inet:ipv4#myips +{ <(seen)- meta:source=510adcbf0dd722f1395232ef5647ed61 }
inet:ipv4=4.186.56.66
        .created = 2026/04/24 20:26:27.513
        .seen = ('2025/12/08 00:00:00.000', '2026/04/17 00:00:00.001')
        :_greynoise:category = hosting
        :_greynoise:class = malicious
        :_greynoise:name =
        :_greynoise:noise = true
        :_greynoise:orgname = microsoft corporation
        :_greynoise:riot = false
        :_greynoise:seen = ('2025/12/08 00:00:00.000', '2026/04/17 00:00:00.001')
        :asn = 8075
        :loc = in.maharashtra.pune
        :type = unicast
        #myips
        #rep.greynoise.carries_http_referer
        #rep.greynoise.connectwise_screenconnect_auth_bypass_check
        #rep.greynoise.crushftp_scanner
        #rep.greynoise.cve_2020_2034
        #rep.greynoise.cve_2024_1709
        #rep.greynoise.cve_2025_55182
        #rep.greynoise.cve_2025_66478
        #rep.greynoise.f5_big_ip_crawler
        #rep.greynoise.fortinet_forticlient_ems_api_auth_bypass_check
        #rep.greynoise.generic_suspicious_linux_command_in_request
        #rep.greynoise.go_http_client
        #rep.greynoise.ivanti_connect_secure_ics_scanner
        #rep.greynoise.outlook_web_access_crawler
        #rep.greynoise.outlook_web_access_login_crawler
        #rep.greynoise.palo_alto_networks_pan_os_cve_2020_2034_crawler
        #rep.greynoise.pulse_secure_vpn_scanner
        #rep.greynoise.react_server_components_unsafe_deserialization_cve_2025_55182_rce_attempt
        #rep.greynoise.sophos_xg_firewall_user_portal_scanner
        #rep.greynoise.tls_ssl_crawler
        #rep.greynoise.web_crawler
        #rep.greynoise.wordpress_enumeration
inet:ipv4=8.8.8.8
        .created = 2026/04/24 20:26:27.406
        .seen = ('2021/09/28 00:00:00.000', '2021/09/28 00:00:00.001')
        :_greynoise:category = public_dns
        :_greynoise:class =
        :_greynoise:name = google public dns
        :_greynoise:noise = false
        :_greynoise:riot = true
        :_greynoise:seen = ('2021/09/28 00:00:00.000', '2021/09/28 00:00:00.001')
        :_greynoise:trust = 1
        :_greynoise:updated = 2026/04/17 13:11:06.000
        :type = unicast
        #myips