Data Module: Internet Scanner - Hunt Intelligence Module

Data Dictionary: Internet Scanner - Hunt Intelligence Module Entitlements

This outlines the field types associated with the IP and Query endpoint responses that are entitled based on purchasing the Internet Scanner - Hunt Intelligence Module.

Field Name	Field Type	Example	Description	Query Sample
actor	string	unknown	Confirmed owner or operator of the IP address.	Sample
bot	boolean	false	Indicates whether the IP is associated with known bot activity.	Sample
classification	string	unknown	Classification of the IP address. Possible values: benign, unknown, malicious, suspicious.	Sample
cve	string list	["CVE-2025-12345"]	Provides a list of CVEs the IP has been observed scanning or exploiting.	Sample
first_seen	date	2021-11-23	Date when the IP was first observed on the GreyNoise sensor network (YYYY-MM-DD format).	Sample
ip	string	1.2.3.4	IP address observed on the GreyNoise sensor network.
last_seen	date	2021-12-31	Date when the IP was most recently observed on the GreyNoise sensor network (YYYY-MM-DD format).	Sample
metadata	object	{ 'asn': 'AS18881', 'city': 'Brasília', 'organization': 'Acme Inc', 'category': 'isp', 'destination_countries': ['Brazil'], 'destination_country_codes': '[BR'] 'mobile': True, 'os': 'Windows XP' 'tor': False, 'rdns': 'scanner.acme.inc', 'region': 'Federal District', 'source_country': 'Brazil', 'source_country_code': 'BR' }	Additional metadata about the IP address.
metadata.asn	string	AS37963	ASN (Autonomous System Number) associated with the IP address.	Sample
metadata.category	string	hosting	Category of the IP address such as hosting or ISP.	Sample
metadata.city	string	Miami	City where the IP address is registered or operates.	Sample
metadata.destination_countries	string list	['Belarus']	List of countries where sensors that observed scanning traffic from this IP are located.	Sample
metadata.destination_country_codes	string list	['BY']	List of country codes where sensors that observed scanning traffic from this IP are located.	Sample
metadata.mobile	boolean	True	Defines if the IP is part of a known cellular network.	Sample
metadata.os	string	Windows XP	Operating system associated with the IP address.	Sample
metadata.organization	string	FranTech Solutions	Organization associated with the IP address.	Sample
metadata.rdns	string	miamitor4.us	rDNS (reverse DNS lookup) value for the IP address.	Sample
metadata.region	string	Florida	Region (state or province) where the IP address is registered or operates.	Sample
metadata.sensor_hits	int	210	Number of scanning events observed.	Sample
metadata.sensor_count	int	20	Number of sensors with events observed.	Sample
metadata.source_country	string	United States	Country where the IP address is registered or operates.	Sample
metadata.source_country_code	string	US	Country code of the IP address based on ISO 3166-1 alpha-2.	Sample
metadata.tor	boolean	true	Indicates whether the IP is a known Tor exit node.	Sample
raw_data	object	{ "hassh": [ { "fingerprint": "a7a87fbe86774c2e40cc4a7ea2ab1b3c", "port": 22 } ][ { "fingerprint": "a7a87fbe86774c2e40cc4a7ea2ab1b3c", "port": 22 } ], "ja3": [ { "fingerprint": "19e29534fd49dd27d09234e639c4057e", "port": 8443 } ][ { "fingerprint": "19e29534fd49dd27d09234e639c4057e", "port": 8443 } ], "scan": [ { "port": 22, "protocol": "TCP" } ][ { "port": 22, "protocol": "TCP" } ], "web": { "paths": [ "/favicon.ico" ][ "/favicon.ico" ], "useragents": [ "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" ][ "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" ] } }	Observed activity from the GreyNoise sensor network.
raw_data.hassh	object list	[ { "fingerprint": "a7a87fbe86774c2e40cc4a7ea2ab1b3c", "port": 22 } ][ { "fingerprint": "a7a87fbe86774c2e40cc4a7ea2ab1b3c", "port": 22 } ]	Recorded hashing information for SSH activity observed.
raw_data.hassh.fingerprint	string	a7a87fbe86774c2e40cc4a7ea2ab1b3c	Recorded fingerprint value for SSH activity observed.	Sample
raw_data.hassh.port	string	22	Associated port for SSH activity observed.	Sample
raw_data.ja3	object list	[ { "fingerprint": "19e29534fd49dd27d09234e639c4057e", "port": 8443 } ][ { "fingerprint": "19e29534fd49dd27d09234e639c4057e", "port": 8443 } ]	Recorded hashing information for TLS activity observed.
raw_data.ja3.fingerprint	string	19e29534fd49dd27d09234e639c4057e	Recorded fingerprint value for JA3 activity observed.	Sample
raw_data.ja3.port	int	8443	Associated port for TLS activity observed.	Sample
raw_data.scan	object list	[ { "port": 22, "protocol": "TCP" } ][ { "port": 22, "protocol": "TCP" } ]	Recorded port and protocol information for scanning activity observed.
raw_data.scan.port	int	22	Recorded port for scanning activity observed.	Sample
raw_data.scan.protocol	string	TCP	Recorded protocol for scanning activity observed.	Sample
raw_data.web	object	{ "paths": [ "/favicon.ico" ][ "/favicon.ico" ], "useragents": [ "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" ][ "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" ] }	Observed scanning activity pertaining to web path and user agents.
raw_data.web.paths	string list	[ "/favicon.ico" ][ "/favicon.ico" ]	Observed scanning activity traversed this web path.	Sample
raw_data.web.useragents	string list	[ "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" ][ "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" ]	Observed scanning activity used these user agents.	Sample
seen/noise	boolean	true	Indicates if the IP was observed scanning the GreyNoise sensor network. Also referred to as 'noise'.
spoofable	boolean	false	Indicates whether the IP completed a three-way handshake with the GreyNoise sensor network. If false, the traffic may be spoofed.	Sample
tags	string list	[ "Carries HTTP Referer", "Cobalt Strike SSH Client", "Follows HTTP Redirects" ][ "Carries HTTP Referer", "Cobalt Strike SSH Client", "Follows HTTP Redirects" ]	Tags describing the observed scanning behavior of the IP address.	Sample
vpn	boolean	false	Indicates if the IP is associated with a known VPN service.	Sample
vpn_service	string	PIA_VPN	Name of the VPN service associated with the IP (if applicable).	Sample