Your firewall logs show thousands of connection attempts from unknown IPs. Are you being targeted? Or is it just background noise?
GreyNoise answers this question. They monitor the entire internet and tell you which IPs are mass-scanning everyone — not just you.
Why This Changes Everything
A SOC analyst was spending 4 hours daily triaging firewall alerts. 90% were IPs hitting every server on the internet — search engines, security researchers, botnets doing mass scans. Not targeted attacks.
After integrating GreyNoise, they filtered out the noise automatically. Those 4 hours became 30 minutes of real threats.
No API Key Needed (Community API)
The community API requires no authentication:
\`python
import requests
def check_ip(ip):
"""Check if an IP is known internet scanner."""
response = requests.get(
f"https://api.greynoise.io/v3/community/{ip}",
timeout=10
)
if response.status_code == 200:
data = response.json()
print(f"IP: {data['ip']}")
print(f"Noise: {data['noise']}") # True = mass scanner
print(f"RIOT: {data['riot']}") # True = known benign (Google, CDN)
print(f"Classification: {data['classification']}")
print(f"Name: {data.get('name', 'Unknown')}")
print(f"Link: {data['link']}")
if data['noise']:
print("→ This IP is scanning the entire internet. Not targeting you specifically.")
elif data['riot']:
print("→ This is a known benign service (CDN, search engine, etc).")
else:
print("→ Not seen mass-scanning. Could be targeted or just quiet.")
return data
Check some well-known IPs
check_ip("8.8.8.8") # Google DNS
check_ip("71.6.135.131") # Known Shodan scanner
`\
Bulk Check Firewall Logs
\`python
import time
def triage_alerts(ips):
"""Triage a list of IPs from firewall logs."""
noise = []
benign = []
investigate = []
for ip in ips:
try:
r = requests.get(f"https://api.greynoise.io/v3/community/{ip}", timeout=10)
if r.status_code == 200:
data = r.json()
if data.get("riot"):
benign.append(f"{ip} — {data.get('name', '?')}")
elif data.get("noise"):
noise.append(f"{ip} — {data.get('classification', '?')}")
else:
investigate.append(ip)
time.sleep(1) # Rate limit
except:
investigate.append(ip)
print(f"\n✓ BENIGN ({len(benign)} IPs) — Known services:")
for b in benign[:5]: print(f" {b}")
print(f"\n📡 NOISE ({len(noise)} IPs) — Mass scanners (not targeting you):")
for n in noise[:5]: print(f" {n}")
print(f"\n🔍 INVESTIGATE ({len(investigate)} IPs) — Potentially targeted:")
for i in investigate[:10]: print(f" ⚠ {i}")
Example firewall log IPs
triage_alerts(["8.8.8.8", "1.1.1.1", "71.6.135.131", "185.220.101.1"])
`\
Classifications
| Classification | Meaning |
|---|---|
| benign | Known good actor (research, CDN) |
| malicious | Known bad actor (botnet, exploit scanner) |
| unknown | Scanning, but intent unclear |
| riot | Part of RIOT dataset (business services) |
Rate Limits
| Tier | Limit | Auth |
|---|---|---|
| Community | ~50/day | No key needed |
| Free registered | 1,000/day | API key (free signup) |
| Enterprise | Unlimited | Paid |
What You Can Build
- SIEM enrichment — auto-classify IPs in Splunk/ELK alerts
- Firewall triage — filter out internet noise from real threats
- Threat feeds — build custom blocklists excluding noise
- SOC dashboards — show real vs noise ratio in real-time
The difference between a 4-hour triage and a 30-minute one is knowing what to ignore.
More free security APIs on my GitHub.
Need custom dev tools, scrapers, or API integrations? I build automation for dev teams. Email spinov001@gmail.com — or explore awesome-web-scraping.
More from me: 10 Dev Tools I Use Daily | 77 Scrapers on a Schedule | 150+ Free APIs
Also: Neon Free Postgres | Vercel Free API | Hetzner 4x More Server
NEW: I Ran an AI Agent for 16 Days — What Actually Works
You might also like:
Need data from the web without writing scrapers? Check my *Apify actors** — ready-made scrapers for HN, Reddit, LinkedIn, and 75+ more sites. Or email: spinov001@gmail.com*
Top comments (0)