GreyNoise Trends

GreyNoise Trends

What is GreyNoise Trends?

The GreyNoise Trends feature takes the lens that GreyNoise uses to view internet-wide scanning and focuses on the exploit, activity, or tool associated with a GreyNoise Tag.

GreyNoise Tags are essentially a signature-based detection method. Tags cover five primary categories: Activity, Tool, Actor, Search Engine, or Worm. Think of tags like network signatures, but with additional context such as tag intent, category, and related CVEs. GreyNoise continues to add tags to cover activities such as new vulnerabilities or CVEs, updates to scan or crawl behaviors, or releases of malicious tools.

The GreyNoise Trends feature allows a user to view GreyNoise data as it relates to a specific tag. The GreyNoise Trends page for a specific tag can be reached by clicking a tag name on an IP Details page or the Tags library.

Navigation from IP Details PageNavigation from IP Details Page

Navigation from IP Details Page

Navigation from Tags LibraryNavigation from Tags Library

Navigation from Tags Library

The GreyNoise Trends page for a Tag is broken up into a few different sections. The topmost section includes:

  • Tag Name - This is the name that GreyNoise has assigned for this signature
  • Tag Metadata - This includes the tag intent (benign, unknown, or malicious), the Tag Category, and a short description of the tag
  • Related CVEs - If applicable, the CVEs associated with the tag
Tag Metadata SectionTag Metadata Section

Tag Metadata Section

Below the metadata section, a trends graph and timeline are included:

  • The trends graph shows a 3, 10, or 30 day graph of the unique IPs scanning for this activity. If hovered over, the unique IP counts are shown for each data point.
  • The timeline includes the sequence of recorded events that GreyNoise has identify as associated with this activity.
Graph and Timeline SectionGraph and Timeline Section

Graph and Timeline Section

Along the right-hand side of the tag, four additional sections are provided:

View tagged IPsView tagged IPs

View tagged IPs

  • View tagged IPs: This link navigates to the GNQL results for the tag
ActionsActions

Actions

  • Actions: Provides the ability to access IP lists associated with this tag for two use cases
    • For Manual Usage: Download a list of IPs in JSON, CSV or TXT format
    • For Automated Usage: Get a dynamically updated URL to use in firewall blocking

🚧

Upcoming Change to Block List URLs

At the initial launch of this feature, the Block List URLs will not require authentication to use. Once this feature moves out of BETA, an authorization mechanism will be put in place to use this feature and will require updates to existing usage of the URLs. We intend to make this transition as frictionless as possible and continue to offer the capability to our Community users.

Related TagsRelated Tags

Related Tags

  • Related Tags: Provides a list of other GreyNoise Tags that are related to the current tag. This is often useful when tags exist for different levels of an exploit, such as a vuln check versus an actual exploit attempt.
ReferencesReferences

References

  • References: Provides a list of external references used to generate the signatures for this tag.

Did this page help you?