GreyNoise Intelligence · Schema
CallbackFilterFields
Common filter fields for callback IP queries.
SecurityThreat IntelligenceCybersecurityIP ReputationVulnerability ManagementNetwork TelemetrySOC AutomationPublic APIs
Properties
| Name | Type | Description |
|---|---|---|
| is_stage_1 | boolean | Filter by stage 1 status. true = file downloaded from this IP. |
| is_stage_2 | boolean | Filter by stage 2 status. true = suspected C2 based on VT/sandbox analysis. |
| first_seen_after | string | Only include IPs first seen after this date (YYYY-MM-DD). |
| first_seen_before | string | Only include IPs first seen before this date (YYYY-MM-DD). |
| last_seen_after | string | Only include IPs last seen after this date (YYYY-MM-DD). |
| last_seen_before | string | Only include IPs last seen before this date (YYYY-MM-DD). |
| has_files | boolean | If true, only include IPs with associated malware files. If false, only IPs without files. |
| file_type | string | Filter by file MIME type (e.g. "application/x-executable"). |
| file_name | string | Filter by file name substring match. |
| file_hash | string | Filter by file SHA256 hash. |
| scanner_ips | array | Filter to IPs associated with these scanner IPs. |
| ips | array | Filter to this specific set of callback IPs. |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://api-evangelist.github.io/greynoise/json-schema/greynoise-callback-filter-fields-schema.json",
"title": "CallbackFilterFields",
"type": "object",
"description": "Common filter fields for callback IP queries.",
"properties": {
"is_stage_1": {
"type": "boolean",
"description": "Filter by stage 1 status. true = file downloaded from this IP.\n",
"example": false
},
"is_stage_2": {
"type": "boolean",
"description": "Filter by stage 2 status. true = suspected C2 based on VT/sandbox analysis.\n",
"example": false
},
"first_seen_after": {
"type": "string",
"format": "date",
"description": "Only include IPs first seen after this date (YYYY-MM-DD).",
"example": "2026-05-01"
},
"first_seen_before": {
"type": "string",
"format": "date",
"description": "Only include IPs first seen before this date (YYYY-MM-DD).",
"example": "2026-05-01"
},
"last_seen_after": {
"type": "string",
"format": "date",
"description": "Only include IPs last seen after this date (YYYY-MM-DD).",
"example": "2026-05-01"
},
"last_seen_before": {
"type": "string",
"format": "date",
"description": "Only include IPs last seen before this date (YYYY-MM-DD).",
"example": "2026-05-01"
},
"has_files": {
"type": "boolean",
"description": "If true, only include IPs with associated malware files. If false, only IPs without files.",
"example": false
},
"file_type": {
"type": "string",
"description": "Filter by file MIME type (e.g. \"application/x-executable\").",
"example": "string"
},
"file_name": {
"type": "string",
"description": "Filter by file name substring match.",
"example": "Google Public DNS"
},
"file_hash": {
"type": "string",
"description": "Filter by file SHA256 hash.",
"example": "795bc7ce13f60d61e9ac03611dd36d90"
},
"scanner_ips": {
"type": "array",
"items": {
"type": "string"
},
"description": "Filter to IPs associated with these scanner IPs.",
"example": [
"string"
]
},
"ips": {
"type": "array",
"items": {
"type": "string"
},
"description": "Filter to this specific set of callback IPs.",
"example": [
"string"
]
}
}
}