Actions6
- Community Actions
- Enterprise Actions
Overview
The GreyNoise Enterprise node enables users to perform advanced queries and retrieve statistical data from the GreyNoise dataset using GNQL (GreyNoise Query Language). GNQL is a domain-specific query language based on Lucene, designed for complex and flexible querying of internet background noise data collected by GreyNoise.
This node is particularly useful for security analysts and researchers who want to:
- Investigate network traffic patterns by filtering out benign or noisy IPs.
- Perform custom searches on large datasets of IP activity.
- Obtain aggregate statistics about top organizations, actors, tags, ASNs, countries, classifications, and operating systems related to queried data.
Practical examples:
- Querying all IPs flagged with a specific tag or classification within a time range.
- Retrieving the top 100 organizations involved in suspicious scanning activity.
- Filtering results to only include IPs from certain countries or ASNs.
Properties
| Name | Meaning |
|---|---|
| Query | The GNQL query string used to filter and search the GreyNoise dataset. |
| Limit | The maximum number of results to return (only applicable for the GNQL Query operation). |
- Query: A required string input where you specify your GNQL query.
- Limit: An optional number input specifying how many results to return; defaults to 50, with allowed values between 1 and 10,000.
Output
The node outputs JSON data under the json field containing the response from the GreyNoise API:
- For the GNQL Query operation, the output contains an array of matching records from the GreyNoise dataset according to the specified query and limit.
- For the GNQL Stats operation, the output provides aggregated statistics such as counts of top organizations, actors, tags, ASNs, countries, classifications, and operating systems relevant to the query.
No binary data output is produced by this node.
Dependencies
- Requires access to the GreyNoise API endpoint at
https://api.greynoise.io. - Needs an API authentication token configured in n8n credentials to authorize requests.
- The node uses HTTP GET requests with query parameters for the GNQL operations.
Troubleshooting
Common issues:
- Invalid or malformed GNQL query strings may cause the API to return errors or empty results.
- Exceeding the maximum allowed limit (10,000) will likely result in an error.
- Missing or invalid API authentication token will cause authorization failures.
Error messages:
- "Invalid query syntax": Check the GNQL query format and correct any syntax errors.
- "Unauthorized" or "Authentication failed": Verify that the API key credential is correctly set up in n8n.
- "Request limit exceeded": Reduce the
Limitvalue or optimize the query to return fewer results.