Basic vs. Advanced

Data Included with GreyNoise Basic Package

Noise Dataset

The following fields are included from the Noise dataset at no extra cost with GreyNoise Basic:

Noise Basic Field Name Field Type Example Noise Basic Field Description

Noise Basic Field Name	Field Type	Example	Noise Basic Field Description
`ip`	string	1.2.3.4	IP address that information is about.
`actor`	string	unknown	The confirmed owner/operator of this IP address.
`classification`	string	unknown	IP Classification - possible options: benign, unknown, malicious.
`last_seen`	date	2022-09-19	Date of last observed behavior on the GreyNoise Sensor network (format: YYYY-MM-DD).

ip

string

1.2.3.4

IP address that information is about.

actor

string

unknown

The confirmed owner/operator of this IP address.

classification

string

unknown

IP Classification - possible options: benign, unknown, malicious.

last_seen

date

2022-09-19

Date of last observed behavior on the GreyNoise Sensor network (format: YYYY-MM-DD).

RIOT Dataset

The following fields are included from the RIOT dataset at no extra cost with GreyNoise Basic:

RIOT Basic Field Name Field Type Example RIOT Basic Field Description

RIOT Basic Field Name	Field Type	Example	RIOT Basic Field Description
`ip`	string	8.8.8.8	IP address that information is about.
`name`	string	Google Public DNS	The name of the provider and/or service.

ip

string

8.8.8.8

IP address that information is about.

name

string

Google Public DNS

The name of the provider and/or service.

Data Included with GreyNoise Advanced Package

Noise Dataset

The following fields are included from the Noise dataset with GreyNoise Advanced:

Noise Advanced Field Name Field Type Example Noise Advanced Field Description

Noise Advanced Field Name	Field Type	Example	Noise Advanced Field Description
`actor`	string	unknown	The confirmed owner/operator of this IP address.
`bot`	boolean	false	Data Enrichment - IP is associated with known bot activity.
`classification`	string	unknown	IP Classification - possible options: benign, unknown, malicious.
`cve`	string list	[ "CVE-2021-38645", "CVE-2021-38647" ]	List of CVEs the IP has been observed scanning for or exploiting
`first_seen`	date	2021-11-23	Date of first observed behavior on the GreyNoise Sensor network (format: YYYY-MM-DD).
`ip`	string	1.2.3.4	IP address that information is about
`last_seen_timestamp`	date	2021-12-31	Date of last observed behavior on the GreyNoise Sensor network (format: YYYY-MM-DD).
`metadata`	object	{ "asn": "AS37963", "category": "hosting", "city": "Hangzhou", "country": "China", "country_code": "CN", "organization": "Hangzhou Alibaba Advertising Co.,Ltd.", "os": "Linux 3.11+", "sensor_hits": 214, "sensor_count": 20, "rdns": "", "region": "Zhejiang", "destination_countries": ['Belarus'], "destination_country_codes": ['BY'], "tor": false }	Data Enrichment - Additional IP metadata.
`metadata.asn`	string	AS37963	Data Enrichment - IPs attached ASN.
`metadata.category`	string	hosting	Data Enrichment - IPs attached category.
`metadata.city`	string	Miami	Data Enrichment - IPs attached city.
`metadata.country`	string	United States	Data Enrichment - IPs attached country.
`metadata.country_code`	string	US	Data Enrichment - IPs attached country code.
`metadata.destination_countires`	string list	['Belarus']	List of countries where Sensors that received scanning traffic are located
`metadata.destination_country_codes`	string list	['BY']	List of country codes where Sensors that received scanning traffic are located
`metadata.organization`	string	FranTech Solutions	Data Enrichment - IPs attached organization.
`metadata.os`	string	Linux 2.2-3.x	Data Enrichment - IPs attached operating system.
`metadata.rdns`	string	miamitor4.us	Data Enrichment - rDNS lookup for IP.
`metadata.region`	string	Florida	Data Enrichment - IPs attached region.
`metadata.sensor_count`	int	20	Number of sensor events observed
`metadata.sensor_hits`	int	210	Number of scanning events observed
`metadata.tor`	boolean	true	Data Enrichment - IP is a known tor exit node.
`raw_data`	object	{ "hassh": [ { "fingerprint": "a7a87fbe86774c2e40cc4a7ea2ab1b3c", "port": 22 } ], "ja3": [ { "fingerprint": "19e29534fd49dd27d09234e639c4057e", "port": 8443 } ], "scan": [ { "port": 22, "protocol": "TCP" } ], "web": { "paths": [ "/favicon.ico" ], "useragents": [ "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" ] } }	Observed Activity captured by the GreyNoise sensor network.
`raw_data.hassh`	object list	[ { "fingerprint": "a7a87fbe86774c2e40cc4a7ea2ab1b3c", "port": 22 } ]	Observed HAASH activity.
`raw_data.hassh.fingerprint`	string	a7a87fbe86774c2e40cc4a7ea2ab1b3c	HASSH Fingerprint captured.
`raw_data.hassh.port`	int	22	Port observed activity occurred on
`raw_data.ja3`	object list	[ { "fingerprint": "19e29534fd49dd27d09234e639c4057e", "port": 8443 } ]	Observed JA3 activity.
`raw_data.ja3.fingerprint`	string	19e29534fd49dd27d09234e639c4057e	JA3 Fingerprint captured
`raw_data.ja3.port`	int	8443	Port observed activity occurred on.
`raw_data.scan`	object list	[ { "port": 22, "protocol": "TCP" } ]
`raw_data.scan.port`	int	22	Port observed activity occurred on.
`raw_data.scan.protocol`	string	TCP	Protocol observed activity occurred on.
`raw_data.web`	object	{ "paths": [ "/favicon.ico" ], "useragents": [ "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" ] }	Observed scanning activity occurred with these web objects.
`raw_data.web.paths`	string list	[ "/favicon.ico" ]	Observed scanning activity traversed this web path.
`raw_data.web.useragents`	string list	[ "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" ]	Observed scanning activity used these user agents.
`spoofable`	boolean	false	Did this IP complete a three-way handshake with the GreyNoise sensor network? If false, indicates that traffic may be spoofed.
`tags`	string list	[ "Carries HTTP Referer", "Cobalt Strike SSH Client", "Follows HTTP Redirects" ]	List of GreyNoise tags associated with the observed scanning behavior performed by this IP.
`vpn`	boolean	false	Data Enrichment - IP is a known VPN service IP.
`vpn_service`	string	PIA_VPN	If IP is a known VPN, the name of the associated VPN Service.

actor

string

unknown

The confirmed owner/operator of this IP address.

bot

boolean

false

Data Enrichment - IP is associated with known bot activity.

classification

string

unknown

IP Classification - possible options: benign, unknown, malicious.

cve

string list

[ "CVE-2021-38645", "CVE-2021-38647" ]

List of CVEs the IP has been observed scanning for or exploiting

first_seen

date

2021-11-23

Date of first observed behavior on the GreyNoise Sensor network (format: YYYY-MM-DD).

ip

string

1.2.3.4

IP address that information is about

last_seen_timestamp

date

2021-12-31

Date of last observed behavior on the GreyNoise Sensor network (format: YYYY-MM-DD).

metadata

object

{

"asn": "AS37963",

"category": "hosting",

"city": "Hangzhou",

"country": "China",

"country_code": "CN",

"organization": "Hangzhou Alibaba Advertising Co.,Ltd.",

"os": "Linux 3.11+",

"sensor_hits": 214,

"sensor_count": 20,

"rdns": "",

"region": "Zhejiang",

"destination_countries": ['Belarus'], "destination_country_codes": ['BY'],

"tor": false

}

Data Enrichment - Additional IP metadata.

metadata.asn

string

AS37963

Data Enrichment - IPs attached ASN.

metadata.category

string

hosting

Data Enrichment - IPs attached category.

metadata.city

string

Miami

Data Enrichment - IPs attached city.

metadata.country

string

United States

Data Enrichment - IPs attached country.

metadata.country_code

string

Data Enrichment - IPs attached country code.

metadata.destination_countires

string list

['Belarus']

List of countries where Sensors that received scanning traffic are located

metadata.destination_country_codes

string list

['BY']

List of country codes where Sensors that received scanning traffic are located

metadata.organization

string

FranTech Solutions

Data Enrichment - IPs attached organization.

metadata.os

string

Linux 2.2-3.x

Data Enrichment - IPs attached operating system.

metadata.rdns

string

miamitor4.us

Data Enrichment - rDNS lookup for IP.

metadata.region

string

Florida

Data Enrichment - IPs attached region.

metadata.sensor_count

int

Number of sensor events observed

metadata.sensor_hits

int

210

Number of scanning events observed

metadata.tor

boolean

true

Data Enrichment - IP is a known tor exit node.

raw_data

object

{ "hassh": [ { "fingerprint": "a7a87fbe86774c2e40cc4a7ea2ab1b3c", "port": 22 } ], "ja3": [ { "fingerprint": "19e29534fd49dd27d09234e639c4057e", "port": 8443 } ], "scan": [ { "port": 22, "protocol": "TCP" } ], "web": { "paths": [ "/favicon.ico" ], "useragents": [ "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" ] } }

Observed Activity captured by the GreyNoise sensor network.

raw_data.hassh

object list

[ { "fingerprint": "a7a87fbe86774c2e40cc4a7ea2ab1b3c", "port": 22 } ]

Observed HAASH activity.

raw_data.hassh.fingerprint

string

a7a87fbe86774c2e40cc4a7ea2ab1b3c

HASSH Fingerprint captured.

raw_data.hassh.port

int

Port observed activity occurred on

raw_data.ja3

object list

[ { "fingerprint": "19e29534fd49dd27d09234e639c4057e", "port": 8443 } ]

Observed JA3 activity.

raw_data.ja3.fingerprint

string

19e29534fd49dd27d09234e639c4057e

JA3 Fingerprint captured

raw_data.ja3.port

int

8443

Port observed activity occurred on.

raw_data.scan

object list

[ { "port": 22, "protocol": "TCP" } ]

raw_data.scan.port

int

Port observed activity occurred on.

raw_data.scan.protocol

string

TCP

Protocol observed activity occurred on.

raw_data.web

object

{ "paths": [ "/favicon.ico" ], "useragents": [ "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" ] }

Observed scanning activity occurred with these web objects.

raw_data.web.paths

string list

[

"/favicon.ico"

]

Observed scanning activity traversed this web path.

raw_data.web.useragents

string list

[ "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" ]

Observed scanning activity used these user agents.

spoofable

boolean

false

Did this IP complete a three-way handshake with the GreyNoise sensor network? If false, indicates that traffic may be spoofed.

tags

string list

[ "Carries HTTP Referer", "Cobalt Strike SSH Client", "Follows HTTP Redirects" ]

List of GreyNoise tags associated with the observed scanning behavior performed by this IP.

vpn

boolean

false

Data Enrichment - IP is a known VPN service IP.

vpn_service

string

PIA_VPN

If IP is a known VPN, the name of the associated VPN Service.

RIOT Dataset

The following fields are included from the RIOT dataset with GreyNoise Advanced:

RIOT Advanced Field Name Field Type Example RIOT Advanced Field Description

RIOT Advanced Field Name	Field Type	Example	RIOT Advanced Field Description
`ip`	string	8.8.8.8	IP address that information is about.
`name`	string	Google Public DNS	The name of the provider and/or service.
`category`	string	public_dns	The RIOT category the provider belongs to identifying the type of service provided.
`description`	string	Google's global domain name system (DNS) resolution service.	A description of the provider and what they do.
`explanation`	string	Public DNS services are used as alternatives to ISP's name servers. You may see devices on your network communicating with Google Public DNS over port 53/TCP or 53/UDP to resolve DNS lookups.	An explanation of the category type and what may be expected from this provider and category.
`last_updated`	datetime	2021-11-24T11:42:37Z	Date and time when this record was last updated from its source (format: YYYY-MM-DDTHH:MM:SSZ).
`logo_url`	string	https[:]//upload.wikimedia.org/wikipedia/ commons/2/2f/Google_2015_logo.svg	URL to a logo for the provider (unused in most cases and generally can be ignored/excluded).
`reference`	url	https[:]//developers.google.com/speed/ public-dns/docs/isp#alternative	Reference URL for information about this provider and/or service.
`trust_level`	string	1	GreyNoise defines the trust level assigned to this IP/provider. Additional information on trust levels can be found here.

ip

string

8.8.8.8

IP address that information is about.

name

string

Google Public DNS

The name of the provider and/or service.

category

string

public_dns

The RIOT category the provider belongs to identifying the type of service provided.

description

string

Google's global domain name system (DNS) resolution service.

A description of the provider and what they do.

explanation

string

Public DNS services are used as alternatives to ISP's name servers. You may see devices on your network communicating with Google Public DNS over port 53/TCP or 53/UDP to resolve DNS lookups.

An explanation of the category type and what may be expected from this provider and category.

last_updated

datetime

2021-11-24T11:42:37Z

Date and time when this record was last updated from its source (format: YYYY-MM-DDTHH:MM:SSZ).

logo_url

string

https[:]//upload.wikimedia.org/wikipedia/ commons/2/2f/Google_2015_logo.svg

URL to a logo for the provider (unused in most cases and generally can be ignored/excluded).

reference

url

https[:]//developers.google.com/speed/ public-dns/docs/isp#alternative

Reference URL for information about this provider and/or service.

trust_level

string

GreyNoise defines the trust level assigned to this IP/provider. Additional information on trust levels can be found here.

PreviousGreyNoise NextGreyNoise Helper Function Usage and Methods

Last updated 1 year ago