Knowledge BaseCommunityRelease NotesRequest Demo

Basic vs. Advanced

Data Included with GreyNoise Basic Package

Noise Dataset

The following fields are included from the Noise dataset at no extra cost with GreyNoise Basic:

Noise Basic Field Name
Field Type
Example
Noise Basic Field Description

ip

string

1.2.3.4

IP address that information is about.

actor

string

unknown

The confirmed owner/operator of this IP address.

classification

string

unknown

IP Classification - possible options: benign, unknown, malicious.

last_seen

date

2022-09-19

Date of last observed behavior on the GreyNoise Sensor network (format: YYYY-MM-DD).

RIOT Dataset

The following fields are included from the RIOT dataset at no extra cost with GreyNoise Basic:

RIOT Basic Field Name
Field Type
Example
RIOT Basic Field Description

ip

string

8.8.8.8

IP address that information is about.

name

string

Google Public DNS

The name of the provider and/or service.

Data Included with GreyNoise Advanced Package

Noise Dataset

The following fields are included from the Noise dataset with GreyNoise Advanced:

Noise Advanced Field Name
Field Type
Example
Noise Advanced Field Description

actor

string

unknown

The confirmed owner/operator of this IP address.

bot

boolean

false

Data Enrichment - IP is associated with known bot activity.

classification

string

unknown

IP Classification - possible options: benign, unknown, malicious.

cve

string list

[ "CVE-2021-38645", "CVE-2021-38647" ]

List of CVEs the IP has been observed scanning for or exploiting

first_seen

date

2021-11-23

Date of first observed behavior on the GreyNoise Sensor network (format: YYYY-MM-DD).

ip

string

1.2.3.4

IP address that information is about

last_seen_timestamp

date

2021-12-31

Date of last observed behavior on the GreyNoise Sensor network (format: YYYY-MM-DD).

metadata

object

{

"asn": "AS37963",

"category": "hosting",

"city": "Hangzhou",

"country": "China",

"country_code": "CN",

"organization": "Hangzhou Alibaba Advertising Co.,Ltd.",

"os": "Linux 3.11+",

"sensor_hits": 214,

"sensor_count": 20,

"rdns": "",

"region": "Zhejiang",

"destination_countries": ['Belarus'], "destination_country_codes": ['BY'],

"tor": false

}

Data Enrichment - Additional IP metadata.

metadata.asn

string

AS37963

Data Enrichment - IPs attached ASN.

metadata.category

string

hosting

Data Enrichment - IPs attached category.

metadata.city

string

Miami

Data Enrichment - IPs attached city.

metadata.country

string

United States

Data Enrichment - IPs attached country.

metadata.country_code

string

US

Data Enrichment - IPs attached country code.

metadata.destination_countires

string list

['Belarus']

List of countries where Sensors that received scanning traffic are located

metadata.destination_country_codes

string list

['BY']

List of country codes where Sensors that received scanning traffic are located

metadata.organization

string

FranTech Solutions

Data Enrichment - IPs attached organization.

metadata.os

string

Linux 2.2-3.x

Data Enrichment - IPs attached operating system.

metadata.rdns

string

miamitor4.us

Data Enrichment - rDNS lookup for IP.

metadata.region

string

Florida

Data Enrichment - IPs attached region.

metadata.sensor_count

int

20

Number of sensor events observed

metadata.sensor_hits

int

210

Number of scanning events observed

metadata.tor

boolean

true

Data Enrichment - IP is a known tor exit node.

raw_data

object

{ "hassh": [ { "fingerprint": "a7a87fbe86774c2e40cc4a7ea2ab1b3c", "port": 22 } ], "ja3": [ { "fingerprint": "19e29534fd49dd27d09234e639c4057e", "port": 8443 } ], "scan": [ { "port": 22, "protocol": "TCP" } ], "web": { "paths": [ "/favicon.ico" ], "useragents": [ "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" ] } }

Observed Activity captured by the GreyNoise sensor network.

raw_data.hassh

object list

[ { "fingerprint": "a7a87fbe86774c2e40cc4a7ea2ab1b3c", "port": 22 } ]

Observed HAASH activity.

raw_data.hassh.fingerprint

string

a7a87fbe86774c2e40cc4a7ea2ab1b3c

HASSH Fingerprint captured.

raw_data.hassh.port

int

22

Port observed activity occurred on

raw_data.ja3

object list

[ { "fingerprint": "19e29534fd49dd27d09234e639c4057e", "port": 8443 } ]

Observed JA3 activity.

raw_data.ja3.fingerprint

string

19e29534fd49dd27d09234e639c4057e

JA3 Fingerprint captured

raw_data.ja3.port

int

8443

Port observed activity occurred on.

raw_data.scan

object list

[ { "port": 22, "protocol": "TCP" } ]

raw_data.scan.port

int

22

Port observed activity occurred on.

raw_data.scan.protocol

string

TCP

Protocol observed activity occurred on.

raw_data.web

object

{ "paths": [ "/favicon.ico" ], "useragents": [ "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" ] }

Observed scanning activity occurred with these web objects.

raw_data.web.paths

string list

[

"/favicon.ico"

]

Observed scanning activity traversed this web path.

raw_data.web.useragents

string list

[ "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" ]

Observed scanning activity used these user agents.

spoofable

boolean

false

Did this IP complete a three-way handshake with the GreyNoise sensor network? If false, indicates that traffic may be spoofed.

tags

string list

[ "Carries HTTP Referer", "Cobalt Strike SSH Client", "Follows HTTP Redirects" ]

List of GreyNoise tags associated with the observed scanning behavior performed by this IP.

vpn

boolean

false

Data Enrichment - IP is a known VPN service IP.

vpn_service

string

PIA_VPN

If IP is a known VPN, the name of the associated VPN Service.

RIOT Dataset

The following fields are included from the RIOT dataset with GreyNoise Advanced:

RIOT Advanced Field Name
Field Type
Example
RIOT Advanced Field Description

ip

string

8.8.8.8

IP address that information is about.

name

string

Google Public DNS

The name of the provider and/or service.

category

string

public_dns

The RIOT category the provider belongs to identifying the type of service provided.

description

string

Google's global domain name system (DNS) resolution service.

A description of the provider and what they do.

explanation

string

Public DNS services are used as alternatives to ISP's name servers. You may see devices on your network communicating with Google Public DNS over port 53/TCP or 53/UDP to resolve DNS lookups.

An explanation of the category type and what may be expected from this provider and category.

last_updated

datetime

2021-11-24T11:42:37Z

Date and time when this record was last updated from its source (format: YYYY-MM-DDTHH:MM:SSZ).

logo_url

string

https[:]//upload.wikimedia.org/wikipedia/ commons/2/2f/Google_2015_logo.svg

URL to a logo for the provider (unused in most cases and generally can be ignored/excluded).

reference

url

https[:]//developers.google.com/speed/ public-dns/docs/isp#alternative

Reference URL for information about this provider and/or service.

trust_level

string

1

GreyNoise defines the trust level assigned to this IP/provider. Additional information on trust levels can be found here.

PreviousGreyNoiseNextGreyNoise Helper Function Usage and Methods

Last updated

#1924: [don't merge until ~Oct] Notion Logs (Beta)

Change request updated