Intelligence Module - Hunt
Data Dictionary: Intelligence Module - Hunt - Entitlements
This outlines the field types associated with the IP and Query endpoint responses that are entitled based on purchasing the Hunt Intelligence Module.
Last Updated: 2025-10-08
Field Name | Field Type | Example | Description | Query Sample |
|---|---|---|---|---|
actor | string | unknown | Confirmed owner or operator of the IP address. | |
bot | boolean | false | Indicates whether the IP is associated with known bot activity. | |
classification | string | unknown | Classification of the IP address. Possible values: benign, unknown, malicious, suspicious. | |
cve | string list | | Provides a list of CVEs the IP has been observed scanning or exploiting. | |
first_seen | date | 2021-11-23 | Date when the IP was first observed on the GreyNoise sensor network (YYYY-MM-DD format). | |
ip | string | 1.2.3.4 | IP address observed on the GreyNoise sensor network. | |
last_seen | date | 2021-12-31 | Date when the IP was most recently observed on the GreyNoise sensor network (YYYY-MM-DD format). | |
last_seen_timestamp | string | 2021-12-31 05:32:53 | Date + Time when the IP was most recently observed on the GreyNoise sensor network (YYYY-MM-DD format). | |
metadata | object | | Additional metadata about the IP address. Items not included in this module will be empty. | |
metadata.asn | string | AS37963 | ASN (Autonomous System Number) associated with the IP address. | |
metadata.category | string | hosting | Category of the IP address such as hosting or ISP. | |
metadata.destination_asns | string list | | List of ASNs assoictated with sensors that observed scanning traffic from this IP. | |
metadata.destination_cities | string list | | List of cities where sensors that observed scanning traffic from this IP are located. | |
metadata.destination_countries | string list | | List of countries where sensors that observed scanning traffic from this IP are located. | |
metadata.destination_country_codes | string list | | List of country codes where sensors that observed scanning traffic from this IP are located. | |
metadata.domain | string | lionlink.net | Domain associated with the IP ASN owner. | |
metadata.mobile | boolean | true | Defines if the IP is part of a known cellular network. | |
metadata.organization | string | FranTech Solutions | Organization associated with the IP address. | |
metadata.os | string | Windows XP | Operating system associated with the IP address. | |
metadata.rdns | string | miamitor4.us | rDNS (reverse DNS lookup) value for the IP address. | |
metadata.rdns_parent | string | acme.lcl | Parent domain associated with the rDNS value. | |
metadata.region | string | Florida | Region (state or province) where the IP address is registered or operates. | |
metadata.single_destination | boolean | True | Indicates that the IP only scanned a single destination country. | |
metadata.sensor_counts | integer | 3 | Number of distinct sensors that observed scanning from this IP. | |
metadata.sensor_hits | integer | 20 | Number of recorded events on all sensors from this IP. | |
metadata.source_city | string | Miami | City where the IP address is registered or operates. | |
metadata.source_country | string | United States | Country where the IP address is registered or operates. | |
metadata.source_country_code | string | US | Country code of the IP address based on ISO 3166-1 alpha-2. | |
raw_data | object | | Observed activity from the GreyNoise sensor network. Values not included in this module will be empty. | |
raw_data.hassh | object list | | Recorded hashing information for SSH activity observed. | |
raw_data.hassh.fingerprint | string | a7a87fbe86774c2e40cc4a7ea2ab1b3c | Recorded fingerprint value for SSH activity observed. | |
raw_data.hassh.port | string | 22 | Associated port for SSH activity observed. | |
raw_data.http | object | | ||
raw_data.http.md5 | string list | | ||
raw_data.http.cookie_keys | string list | | ||
raw_data.http.request_authorization | string list | | ||
raw_data.http.request_cookies | string list | | ||
raw_data.http.request_header | string list | | ||
raw_data.http.method | string list | | ||
raw_data.http.path | string list | | Observed scanning activity traversed this web path. | |
raw_data.http.request_origin | | |||
raw_data.http.useragent | string list | | Observed scanning activity used these user agents. | |
raw_data.ja3 | object list | | Recorded hashing information for TLS activity observed. | |
raw_data.ja3.fingerprint | string | 19e29534fd49dd27d09234e639c4057e | Recorded fingerprint value for JA3 activity observed. | |
raw_data.ja3.port | int | 8443 | Associated port for TLS activity observed. | |
raw_data.scan | object list | | Recorded port and protocol information for scanning activity observed. | |
raw_data.scan.port | int | 22 | Recorded port for scanning activity observed. | |
raw_data.scan.protocol | string | TCP | Recorded protocol for scanning activity observed. | |
raw_data.source.bytes | int | 2224 | ||
raw_data.ssh.key | string list | | ||
raw_data.tls.cipher | string list | | ||
raw_data.tls.ja4 | string list | | ||
spoofable | boolean | false | Indicates whether the IP completed a three-way handshake with the GreyNoise sensor network. If true, the traffic may be spoofed. | |
tags | object list | | List of tags associated with this IP and the tags details. | |
tags.category | string | activity | Category type for the identified tag. | |
tags.created_at | date | 2020-04-07 | Date the tag was added to GreyNoise. | |
tags.cves | string list | | Any CVEs associated with the behavior detected by the tag. | |
tags.description | string | This is a tag description. | A brief description of what the tag identifies. | |
tags.id | string | feb92353-4264-44ce-8f7d-8ddae93719da | The unique id given to the tag. | |
tags.intention | string | malicious | The identified intention of the activity detected by this tag. | |
tags.name | string | CGI Script Scanner | The name of the tag. | |
tags.recommended_block | boolean | false | Indicates if IPs associated with this tag should be blocked. | |
tags.references | string list | | A list of references used to create this tag. | |
tags.slug | string | cgi-script-scanner | The slug associated with the tag. | |
tags.updated_at | data | 2025-05-14T04:12:40.778197Z | The last time this tag was updated or modified. | |
tor | boolean | true | Indicates whether the IP is a known Tor exit node. | |
vpn | boolean | false | Indicates if the IP is associated with a known VPN service. | |
vpn_service | string | PIA_VPN | Name of the VPN service associated with the IP (if applicable). |
These additional fields are available through the CVE API:
Field Name | Field Type | Example | Description |
|---|---|---|---|
id | string | CVE-2024-12345 | The CVE ID. |
details | object | { "vulnerability_name": "Acme Inc Expoilt Attempt", "vulnerability_description": "Potentially allowing Acme Inc to exploit anvil drop on new users.", "cve_cvss_score": 4.5, "product": "Acme Inc", "vendor": "Anvil Drop", "published_to_nist_nvd": true } | Basic CVE details, including CVSS score (Common Vulnerability Scoring System), associated products & vendors, and NIST CVE recognition status. |
details.vulnerability_name | string | Acme Inc Expoilt Attempt | Name of the vulnerability. |
details.vulnerability_description | string | Potentially allowing Acme Inc to exploit anvil drop on new users." | Description of the vulnerability. |
details.cve_cvss_score | float | 4.5 | Current CVSS score (Common Vulnerability Scoring System). |
details.product | string | Acme Inc | Product(s) associated with the CVE. |
details.vendor | string | Anvil Drop | Vendor(s) associated with the CVE. |
details.published_to_nist_nvd | boolean | true | Whether this CVE is recognized by NIST. |
timeline | object | { "cve_published_date": "2024-05-28T19:15:10.060", "cve_last_updated_date": "2024-05-31T16:04:09.703", "first_known_published_date": "2024-05-27T00:00:00Z", "cisa_kev_date_added": "2024-05-30T00:00:00Z" } | Key timeline details about when the CVE was published, updated, and added to CISA (https://www.cisa.gov/known-exploited-vulnerabilities-catalog). |
timeline.cve_published_date | datetime | 2024-05-28T19:15:10.060 | Date when the CVE was published by NVD. |
timeline.cve_last_updated_date | datetime | 2024-05-31T16:04:09.703 | Date when the CVE record was last updated. |
timeline.first_known_published_date | datetime | 2024-05-27T00:00:00Z | Date when the first exploit associated with the CVE was published. |
timeline.cisa_kev_date_added | datetime | 2024-05-30T00:00:00Z | Date CISA (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) added a KEV (Known Exploited Vulnerability) entry associated with the CVE. |
exploitation_details | object | { "attack_vector": "NETWORK", "exploit_found": true, "exploitation_registered_in_kev": true, "epss_score": 0.94504 } | Exploitation-related details pertaining to attack vector category, EPSS score (Exploit Prediction Scoring System), available exploits, and KEV (Known Exploited Vulnerabilities) registration. |
exploitation_details.attack_vector | string | NETWORK | Attack vector category. |
exploitation_details.exploit_found | boolean | true | Whether any known exploits are available. |
exploitation_details.exploitation_registered_in_kev | boolean | true | Whether exploitation has been registered in the KEV (Known Exploited Vulnerabilities) database. |
exploitation_details.epss_score | float | 0.94504 | EPSS score (Exploit Prediction Scoring System) associated with the exploitation. |
exploitation_stats | object | { "number_of_available_exploits": 60, "number_of_threat_actors_exploiting_vulnerability": 1, "number_of_botnets_exploiting_vulnerability": 0 } | Statistical data about exploitation, including number of exploits available, and number of threat actors and botnets exploiting the vulnerability. |
exploitation_stats.number_of_available_exploits | integer | 60 | Total number of exploits available (public + commercial). |
exploitation_stats.number_of_threat_actors_exploiting_vulnerability | integer | 1 | Total number of known threat actors exploiting the vulnerability. |
exploitation_stats.number_of_botnets_exploiting_vulnerability | integer | 0 | Total number of botnets exploiting the vulnerability. |
exploitation_activity | object | { "activity_seen": true, "benign_ip_count_1d": 765, "benign_ip_count_10d": 765, "benign_ip_count_30d": 765, "threat_ip_count_1d": 0, "threat_ip_count_10d": 1, "threat_ip_count_30d": 14 } | Observed IPs scanning or exploiting the vulnerability today, in the last 10 days, and the last 30 days. |
exploitation_activity.activity_seen | boolean | true | Whether GreyNoise has observed activity related to this CVE. |
exploitation_activity.benign_ip_count_1d | integer | 765 | Total number of benign IPs GreyNoise observed scanning or exploiting this vulnerability today. |
exploitation_activity.benign_ip_count_10d | integer | 765 | Total number of benign IPs GreyNoise observed scanning or exploiting this vulnerability in the last 10 days. |
exploitation_activity.benign_ip_count_30d | integer | 765 | Total number of benign IPs GreyNoise observed scanning or exploiting this vulnerability in the last 30 days. |
exploitation_activity.threat_ip_count_1d | integer | 0 | Total number of threat IPs GreyNoise observed scanning or exploiting this vulnerability today. |
exploitation_activity.threat_ip_count_10d | integer | 1 | Total number of threat IPs GreyNoise observed scanning or exploiting this vulnerability in the last 10 days. |
exploitation_activity.threat_ip_count_30d | integer | 14 | Total number of threat IPs GreyNoise observed scanning or exploiting this vulnerability in the last 30 days. |
Updated 4 days ago