Data Module: Internet Scanner - Triage Intelligence Module

Data Dictionary: Internet Scanner - Triage Intelligence Module Entitlements

This outlines the field types associated with the IP and Query endpoint responses that are entitled based on purchasing the Internet Scanner - Triage Intelligence Module.

Field Name	Field Type	Example	Description	Query Sample
actor	string	unknown	Confirmed owner or operator of the IP address.	Sample
bot	boolean	false	Indicates whether the IP is associated with known bot activity.	Sample
classification	string	unknown	Classification of the IP address. Possible values: benign, unknown, malicious, suspicious.	Sample
ip	string	1.2.3.4	IP address observed on the GreyNoise sensor network.
last_seen	date	2021-12-31	Date when the IP was most recently observed on the GreyNoise sensor network (YYYY-MM-DD format).	Sample
metadata	object	{ 'asn': 'AS18881', 'city': 'Brasília', 'organization': 'Acme Inc', 'category': 'isp', 'mobile': True, 'tor': False, 'rdns': 'scanner.acme.inc', 'region': 'Federal District', 'source_country': 'Brazil', 'source_country_code': 'BR' }	Additional metadata about the IP address.
metadata.asn	string	AS37963	ASN (Autonomous System Number) associated with the IP address.	Sample
metadata.category	string	hosting	Category of the IP address such as hosting or ISP.	Sample
metadata.city	string	Miami	City where the IP address is registered or operates.	Sample
metadata.mobile	boolean	true	Defines if the IP is part of a known cellular network.	Sample
metadata.organization	string	FranTech Solutions	Organization associated with the IP address.	Sample
metadata.source_country	string	United States	Country where the IP address is registered or operates.	Sample
metadata.source_country_code	string	US	Country code of the IP address based on ISO 3166-1 alpha-2.	Sample
metadata.rdns	string	miamitor4.us	rDNS (reverse DNS lookup) value for the IP address.	Sample
metadata.region	string	Florida	Region (state or province) where the IP address is registered or operates.	Sample
metadata.tor	boolean	true	Indicates whether the IP is a known Tor exit node.	Sample
seen/noise	boolean	true	Indicates if the IP was observed scanning the GreyNoise sensor network. Also referred to as 'noise'.
spoofable	boolean	false	Indicates whether the IP completed a three-way handshake with the GreyNoise sensor network. If false, the traffic may be spoofed.	Sample
tags	string list	[ "Carries HTTP Referer", "Cobalt Strike SSH Client", "Follows HTTP Redirects" ][ "Carries HTTP Referer", "Cobalt Strike SSH Client", "Follows HTTP Redirects" ]	Tags describing the observed scanning behavior of the IP address.	Sample
vpn	boolean	false	Indicates if the IP is associated with a known VPN service.	Sample
vpn_service	string	PIA_VPN	Name of the VPN service associated with the IP (if applicable).	Sample