Data Module: Internet Scanner - Hunt Intelligence Module
Data Dictionary: Internet Scanner - Hunt Intelligence Module Entitlements
This outlines the field types associated with the IP and Query endpoint responses that are entitled based on purchasing the Internet Scanner - Hunt Intelligence Module.
| Field Name | Field Type | Example | Description | Query Sample |
|---|---|---|---|---|
| actor | string | unknown | Confirmed owner or operator of the IP address. | Sample |
| bot | boolean | false | Indicates whether the IP is associated with known bot activity. | Sample |
| classification | string | unknown | Classification of the IP address. Possible values: benign, unknown, malicious, suspicious. | Sample |
| cve | string list | ["CVE-2025-12345"] | Provides a list of CVEs the IP has been observed scanning or exploiting. | Sample |
| first_seen | date | 2021-11-23 | Date when the IP was first observed on the GreyNoise sensor network (YYYY-MM-DD format). | Sample |
| ip | string | 1.2.3.4 | IP address observed on the GreyNoise sensor network. | |
| last_seen | date | 2021-12-31 | Date when the IP was most recently observed on the GreyNoise sensor network (YYYY-MM-DD format). | Sample |
| metadata | object | { 'asn': 'AS18881', 'city': 'Brasília', 'organization': 'Acme Inc', 'category': 'isp', 'destination_countries': ['Brazil'], 'destination_country_codes': '[BR'] 'mobile': True, 'os': 'Windows XP' 'tor': False, 'rdns': 'scanner.acme.inc', 'region': 'Federal District', 'source_country': 'Brazil', 'source_country_code': 'BR' } | Additional metadata about the IP address. | |
| metadata.asn | string | AS37963 | ASN (Autonomous System Number) associated with the IP address. | Sample |
| metadata.category | string | hosting | Category of the IP address such as hosting or ISP. | Sample |
| metadata.city | string | Miami | City where the IP address is registered or operates. | Sample |
| metadata.destination_countries | string list | ['Belarus'] | List of countries where sensors that observed scanning traffic from this IP are located. | Sample |
| metadata.destination_country_codes | string list | ['BY'] | List of country codes where sensors that observed scanning traffic from this IP are located. | Sample |
| metadata.mobile | boolean | True | Defines if the IP is part of a known cellular network. | Sample |
| metadata.os | string | Windows XP | Operating system associated with the IP address. | Sample |
| metadata.organization | string | FranTech Solutions | Organization associated with the IP address. | Sample |
| metadata.rdns | string | miamitor4.us | rDNS (reverse DNS lookup) value for the IP address. | Sample |
| metadata.region | string | Florida | Region (state or province) where the IP address is registered or operates. | Sample |
| metadata.sensor_hits | int | 210 | Number of scanning events observed. | Sample |
| metadata.sensor_count | int | 20 | Number of sensors with events observed. | Sample |
| metadata.source_country | string | United States | Country where the IP address is registered or operates. | Sample |
| metadata.source_country_code | string | US | Country code of the IP address based on ISO 3166-1 alpha-2. | Sample |
| metadata.tor | boolean | true | Indicates whether the IP is a known Tor exit node. | Sample |
| raw_data | object | { "hassh": [ { "fingerprint": "a7a87fbe86774c2e40cc4a7ea2ab1b3c", "port": 22 } ], "ja3": [ { "fingerprint": "19e29534fd49dd27d09234e639c4057e", "port": 8443 } ], "scan": [ { "port": 22, "protocol": "TCP" } ], "web": { "paths": [ "/favicon.ico" ], "useragents": [ "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" ] } } | Observed activity from the GreyNoise sensor network. | |
| raw_data.hassh | object list | [ { "fingerprint": "a7a87fbe86774c2e40cc4a7ea2ab1b3c", "port": 22 } ] | Recorded hashing information for SSH activity observed. | |
| raw_data.hassh.fingerprint | string | a7a87fbe86774c2e40cc4a7ea2ab1b3c | Recorded fingerprint value for SSH activity observed. | Sample |
| raw_data.hassh.port | string | 22 | Associated port for SSH activity observed. | Sample |
| raw_data.ja3 | object list | [ { "fingerprint": "19e29534fd49dd27d09234e639c4057e", "port": 8443 } ] | Recorded hashing information for TLS activity observed. | |
| raw_data.ja3.fingerprint | string | 19e29534fd49dd27d09234e639c4057e | Recorded fingerprint value for JA3 activity observed. | Sample |
| raw_data.ja3.port | int | 8443 | Associated port for TLS activity observed. | Sample |
| raw_data.scan | object list | [ { "port": 22, "protocol": "TCP" } ] | Recorded port and protocol information for scanning activity observed. | |
| raw_data.scan.port | int | 22 | Recorded port for scanning activity observed. | Sample |
| raw_data.scan.protocol | string | TCP | Recorded protocol for scanning activity observed. | Sample |
| raw_data.web | object | { "paths": [ "/favicon.ico" ], "useragents": [ "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" ] } | Observed scanning activity pertaining to web path and user agents. | |
| raw_data.web.paths | string list | [ "/favicon.ico" ] | Observed scanning activity traversed this web path. | Sample |
| raw_data.web.useragents | string list | [ "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" ] | Observed scanning activity used these user agents. | Sample |
| seen/noise | boolean | true | Indicates if the IP was observed scanning the GreyNoise sensor network. Also referred to as 'noise'. | |
| spoofable | boolean | false | Indicates whether the IP completed a three-way handshake with the GreyNoise sensor network. If false, the traffic may be spoofed. | Sample |
| tags | string list | [ "Carries HTTP Referer", "Cobalt Strike SSH Client", "Follows HTTP Redirects" ] | Tags describing the observed scanning behavior of the IP address. | Sample |
| vpn | boolean | false | Indicates if the IP is associated with a known VPN service. | Sample |
| vpn_service | string | PIA_VPN | Name of the VPN service associated with the IP (if applicable). | Sample |
Updated 6 days ago