Intelligence Module - C2 Detection
Data Dictionary: Intelligence Module - C2 Detections - Entitlements
This outlines the field types associated with the IP endpoint responses to which you are entitled if you purchase the C2 Detection Intelligence Module.
Last Updated: 2026-06-15
| Field Name | Field Type | Example | Description |
|---|---|---|---|
ip | string | 198.51.100.42 | The queried IP address. |
source_workspaces | array[string] | ["GreyNoise", "Personal"] | The workspaces from which this IP was observed or enriched. |
is_stage_1 | boolean | true | Indicates whether the IP has been observed in Stage 1 activity (initial reconnaissance or scanning). |
is_stage_2 | boolean | true | Indicates whether the IP has been observed in Stage 2 activity (exploitation or post-exploitation behavior). |
is_riot | boolean | true | Indicates whether the IP belongs to a known business service (BSI). |
riot_trust_level | integer | 0 | Trust level assigned IP via the BSI dataset. |
first_seen | datetime | 2025-03-01T00:00:00Z | The earliest date and time this IP was observed by GreyNoise (ISO 8601 UTC). |
last_seen | datetime | 2025-03-15T12:30:00Z | The most recent date and time this IP was observed by GreyNoise (ISO 8601 UTC). |
scanner_ips | array[string] | ["203.0.113.7", "192.0.2.99"] | List of IP addresses observed scanning this host. |
scanner_count | integer | 5 | Total number of distinct scanner IPs observed targeting this host. |
file_count | integer | 3 | Total number of malicious files associated with this IP. |
active_files | array[object] | (see nested fields below) | List of active malicious files associated with this IP, including hash values and threat metadata. |
active_files[].sha256 | string | e3b0c44298fc1c149afbf4c8996fb924... | SHA-256 hash of the associated file. |
active_files[].md5 | string | string | MD5 hash of the associated file. |
active_files[].sha1 | string | string | SHA-1 hash of the associated file. |
active_files[].threat_name | string | Trojan.GenericKD.46542 | The threat or malware family name as identified by antivirus engines. |
active_files[].vt_detection_count | integer | 42 | Number of VirusTotal antivirus engines that flagged this file as malicious. |
active_files[].vt_engine_count | integer | 71 | Total number of VirusTotal antivirus engines that scanned this file. |
active_files[].file_name | string | payload.bin | Original or observed filename of the associated file. |
active_files[].size | integer | 24576 | File size in bytes. |
active_files[].type | string | application/x-executable | MIME type of the file. |
enrichment | object | (see nested fields below) | Geolocation and network enrichment data for the IP address. |
enrichment.asn | string | AS4837 | Autonomous System Number (ASN) associated with the IP. |
enrichment.org | string | CHINA UNICOM China169 Backbone | Organization or ISP name associated with the ASN. |
enrichment.city | string | Qingdao | City where the IP is geographically located. |
enrichment.region | string | Shandong | Region or state where the IP is geographically located. |
enrichment.country | string | China | Country where the IP is geographically located. |
enrichment.country_code | string | CN | ISO 3166-1 alpha-2 country code for the IP's location. |
enrichment.latitude | float | 36.0649 | Latitude coordinate of the IP's geolocation. |
enrichment.longitude | float | 120.3804 | Longitude coordinate of the IP's geolocation. |
enrichment.is_tor | boolean | true | Indicates whether the IP is associated with a Tor exit node. |
enrichment.route | string | 119.176.0.0/12 | BGP route (CIDR block) associated with the IP. |
enrichment.type | string | isp | Network type classification (e.g., isp, hosting, education, business). |
enrichment.domain | string | chinaunicom.cn | Domain associated with the IP's organization or ASN. |
enrichment.rdns | string | string | Reverse DNS (PTR record) for the IP address, if available. |