Your firewall logs show thousands of connection attempts from unknown IPs. Are you being targeted? Or is it just background noise?
GreyNoise answers this question. They monitor the entire internet and tell you which IPs are mass-scanning everyone — not just you.
Why This Changes Everything
A SOC analyst was spending 4 hours daily triaging firewall alerts. 90% were IPs hitting every server on the internet — search engines, security researchers, botnets doing mass scans. Not targeted attacks.
After integrating GreyNoise, they filtered out the noise automatically. Those 4 hours became 30 minutes of real threats.
No API Key Needed (Community API)
The community API requires no authentication:
\`python
import requests
def check_ip(ip):
"""Check if an IP is known internet scanner."""
response = requests.get(
f"https://api.greynoise.io/v3/community/{ip}",
timeout=10
)
if response.status_code == 200:
data = response.json()
print(f"IP: {data['ip']}")
print(f"Noise: {data['noise']}") # True = mass scanner
print(f"RIOT: {data['riot']}") # True = known benign (Google, CDN)
print(f"Classification: {data['classification']}")
print(f"Name: {data.get('name', 'Unknown')}")
print(f"Link: {data['link']}")
if data['noise']:
print("→ This IP is scanning the entire internet. Not targeting you specifically.")
elif data['riot']:
print("→ This is a known benign service (CDN, search engine, etc).")
else:
print("→ Not seen mass-scanning. Could be targeted or just quiet.")
return data
Check some well-known IPs
check_ip("8.8.8.8") # Google DNS
check_ip("71.6.135.131") # Known Shodan scanner
`\
Bulk Check Firewall Logs
\`python
import time
def triage_alerts(ips):
"""Triage a list of IPs from firewall logs."""
noise = []
benign = []
investigate = []
for ip in ips:
try:
r = requests.get(f"https://api.greynoise.io/v3/community/{ip}", timeout=10)
if r.status_code == 200:
data = r.json()
if data.get("riot"):
benign.append(f"{ip} — {data.get('name', '?')}")
elif data.get("noise"):
noise.append(f"{ip} — {data.get('classification', '?')}")
else:
investigate.append(ip)
time.sleep(1) # Rate limit
except:
investigate.append(ip)
print(f"\n✓ BENIGN ({len(benign)} IPs) — Known services:")
for b in benign[:5]: print(f" {b}")
print(f"\n📡 NOISE ({len(noise)} IPs) — Mass scanners (not targeting you):")
for n in noise[:5]: print(f" {n}")
print(f"\n🔍 INVESTIGATE ({len(investigate)} IPs) — Potentially targeted:")
for i in investigate[:10]: print(f" ⚠ {i}")
Example firewall log IPs
triage_alerts(["8.8.8.8", "1.1.1.1", "71.6.135.131", "185.220.101.1"])
`\
Classifications
| Classification | Meaning |
|---|---|
| benign | Known good actor (research, CDN) |
| malicious | Known bad actor (botnet, exploit scanner) |
| unknown | Scanning, but intent unclear |
| riot | Part of RIOT dataset (business services) |
Rate Limits
| Tier | Limit | Auth |
|---|---|---|
| Community | ~50/day | No key needed |
| Free registered | 1,000/day | API key (free signup) |
| Enterprise | Unlimited | Paid |
What You Can Build
- SIEM enrichment — auto-classify IPs in Splunk/ELK alerts
- Firewall triage — filter out internet noise from real threats
- Threat feeds — build custom blocklists excluding noise
- SOC dashboards — show real vs noise ratio in real-time
The difference between a 4-hour triage and a 30-minute one is knowing what to ignore.
More free security APIs on my GitHub.
Top comments (0)