Tag Trends - Anomalies

Tag Trends - Anomalies

What are tag anomalies? - GreyNoise classifies a tag as an anomaly when our sensors observe a sudden peak in the number of IPs transmitting traffic within a 10-day period. The list is sorted in descending order of the Score value and displays the top ten tags.

Each tag card in the list contains:

  • Tag Name
  • Tag Category
  • Tag Intent (Benign, Unknown, or Malicious)
  • Associated CVEs
  • Score - A ranking score derived from historical averages and peak detection

How Anomalies Detection Works

Detecting trends and anomalies is about finding deviation from previous behavior, particularly in a positive direction.


Detecting an anomaly (as seen immediately above) is somewhat trickier than a trend, as we’re not interested in alerting on every recent anomaly. We have to find a single recent peak, and preferably the highest.

We do so with two algorithms: First, we use a moving window to determine which sample(s) have the largest (positive) deviation from the average value for that window.

Second, we check for a change in slope, as a peak signifies a change from increasing to decreasing behavior.

Between the two algorithms, we can find peaks reliably, accurately, and precisely. The peak values are then subjected to the percent change formula so that we can compare anomalies and trends for each tag:

(Peak Height - long term avg.)/long term avg.


Ranking the output of these algorithms, we present the tags that have the largest recent increase in trend as well as the tallest recent peak, both relative to previous average behavior.

What do I do with Anomalies Tags?

  • Verify peaks in an activity that may have appeared as groupings of alerts in a SIEM or logging platform.
  • Find out if you're the only one observing erratic scanning or exploitation activity or if it's happening worldwide.
  • Determine what days a benign scanner does its scanning
  • Show historical scanning behaviors