GreyNoise
Guides
Start typing to search…

Intelligence Module - Hunt

Data Dictionary: Intelligence Module - Hunt - Entitlements

This outlines the field types associated with the IP and Query endpoint responses that are entitled based on purchasing the Hunt Intelligence Module.

Field Name

Field Type

Example

Description

Query Sample

actor

string

unknown

Confirmed owner or operator of the IP address.

Sample

bot

boolean

false

Indicates whether the IP is associated with known bot activity.

Sample

classification

string

unknown

Classification of the IP address. Possible values: benign, unknown, malicious, suspicious.

Sample

cve

string list

["CVE-2025-12345"]

Provides a list of CVEs the IP has been observed scanning or exploiting.

Sample

first_seen

date

2021-11-23

Date when the IP was first observed on the GreyNoise sensor network (YYYY-MM-DD format).

Sample

ip

string

1.2.3.4

IP address observed on the GreyNoise sensor network.

last_seen

date

2021-12-31

Date when the IP was most recently observed on the GreyNoise sensor network (YYYY-MM-DD format).

Sample

last_seen_timestamp

string

2021-12-31 05:32:53

Date + Time when the IP was most recently observed on the GreyNoise sensor network (YYYY-MM-DD format).

metadata

object

{
"asn": "AS51747",
"category": "hosting",
"destination_asns": [
"AS20473",
"AS44477"
],
"destination_cities": [
"Hong Kong",
"Elk Grove Village",
"Haarlem"
],
"destination_countries": [
"Hong Kong",
"Netherlands",
"United States"
],
"destination_country_codes": [
"HK",
"NL",
"US"
],
"domain": "internetvikings.com",
"latitude": 59.3294,
"longitude": 18.0687,
"mobile": false,
"organization": "Internet Vikings International AB",
"os": "",
"rdns": "",
"rdns_parent": "",
"region": "Stockholm",
"sensor_count": 3,
"sensor_hits": 20,
"single_destination": false,
"source_city": "Stockholm",
"source_country": "Sweden",
"source_country_code": "SE"
}

Additional metadata about the IP address. Items not included in this module will be empty.

metadata.asn

string

AS37963

ASN (Autonomous System Number) associated with the IP address.

Sample

metadata.category

string

hosting

Category of the IP address such as hosting or ISP.

Sample

metadata.destination_asns

string list

[
"AS20473",
"AS44477"
]

List of ASNs assoictated with sensors that observed scanning traffic from this IP.

metadata.destination_cities

string list

[
"Hong Kong",
"Elk Grove Village",
"Haarlem"
]

List of cities where sensors that observed scanning traffic from this IP are located.

metadata.destination_countries

string list

['Belarus']

List of countries where sensors that observed scanning traffic from this IP are located.

Sample

metadata.destination_country_codes

string list

['BY']

List of country codes where sensors that observed scanning traffic from this IP are located.

Sample

metadata.domain

string

lionlink.net

Domain associated with the IP ASN owner.

Sample

metadata.mobile

boolean

true

Defines if the IP is part of a known cellular network.

Sample

metadata.organization

string

FranTech Solutions

Organization associated with the IP address.

Sample

metadata.os

string

Windows XP

Operating system associated with the IP address.

Sample

metadata.rdns

string

miamitor4.us

rDNS (reverse DNS lookup) value for the IP address.

Sample

metadata.rdns_parent

string

acme.lcl

Parent domain associated with the rDNS value.

Sample

metadata.region

string

Florida

Region (state or province) where the IP address is registered or operates.

Sample

metadata.single_destination

boolean

True

Indicates that the IP only scanned a single destination country.

Sample

metadata.sensor_counts

integer

3

Number of distinct sensors that observed scanning from this IP.

metadata.sensor_hits

integer

20

Number of recorded events on all sensors from this IP.

metadata.source_city

string

Miami

City where the IP address is registered or operates.

Sample

metadata.source_country

string

United States

Country where the IP address is registered or operates.

Sample

metadata.source_country_code

string

US

Country code of the IP address based on ISO 3166-1 alpha-2.

Sample

raw_data

object

{
  "hassh": [
    {
      "fingerprint": "acaa53e0a7d7ac7d1255103f37901306",
      "port": 2222
    }
  ],
  "http": "http": {
    "md5": [
      "690e440f039d37e8098f20406f460c11"
    ],
    "cookie_keys": [
      "T",
      "ssiddcsession_ref"
    ],
    "request_authorization": [
      "Digest username=\"dslf-config\", realm=\"HuaweiHomeGateway\", nonce=\"88645cefb1f9ede0e336e3569d75ee30\", uri=\"/ctrlt/DeviceUpgrade_1\", response=\"3612f843a42db38f48f59d2a3597e19c\", algorithm=\"MD5\", qop=\"auth\", nc=00000001, cnonce=\"248d1a2560100669\""
    ],
    "request_cookies": [
"T=bozH7ydpNM81XU0zFLF4FDrSrp2v/1yRS1QFryl9hYaUbLwLcTBP6DEVdfIF7wqpkDxnvY5b8pj+wtEVhMM1dXepjVgqewc9XKjcw0hGPn5L7Ck4iQtpcoMpUGT96Z0kKULQkmAFrMuWA8CeLrWND1ljHQgcxYJ2eqJ9ciU/Lw8wlqrnfrzQVXBwWWZQW6gROiCY99M3+HnqiKKe2bZMQ+tT4hujUbMZyDQG+8P/pJvjot0+eTN8ITg="],
    "request_header": [
      "user-agent",
      "accept-language",
    ],
    "method": [
      "GET"
    ],
    "path": [
      "/robots.txt",
      "/"
    ],
    "request_origin": [
      "2a03:2880:f800:a::",
      "216.244.66.199"],
    "useragent": [
      "Mozilla/5.0 (Android 14; Mobile; rv:123.0) Gecko/123.0 Firefox/123",
"Mozilla/5.0 (Linux; Android 14; SM-S901B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.280 Mobile Safari/537.36 OPR/80.4.4244.7786",
    ]
  },
  "ja3": [],
  "scan": [
    {
      "port": 80,
      "protocol": "tcp"
    }
  ],
  "source": {
    "bytes": 2224
  },
  "ssh": {
    "key": []
  },
  "tls": {
    "cipher": [],
    "ja4": []
  }
}

Observed activity from the GreyNoise sensor network. Values not included in this module will be empty.

raw_data.hassh

object list

"hassh": [
    {
      "fingerprint": "acaa53e0a7d7ac7d1255103f37901306",
      "port": 2222
    }
  ]

Recorded hashing information for SSH activity observed.

raw_data.hassh.fingerprint

string

a7a87fbe86774c2e40cc4a7ea2ab1b3c

Recorded fingerprint value for SSH activity observed.

Sample

raw_data.hassh.port

string

22

Associated port for SSH activity observed.

Sample

raw_data.http

object

"http": {
    "md5": [
      "690e440f039d37e8098f20406f460c11"
    ],
    "cookie_keys": [
      "T",
      "ssiddcsession_ref"
    ],
    "request_authorization": [
      "Digest username=\"dslf-config\", realm=\"HuaweiHomeGateway\", nonce=\"88645cefb1f9ede0e336e3569d75ee30\", uri=\"/ctrlt/DeviceUpgrade_1\", response=\"3612f843a42db38f48f59d2a3597e19c\", algorithm=\"MD5\", qop=\"auth\", nc=00000001, cnonce=\"248d1a2560100669\""
    ],
    "request_cookies": [
"T=bozH7ydpNM81XU0zFLF4FDrSrp2v/1yRS1QFryl9hYaUbLwLcTBP6DEVdfIF7wqpkDxnvY5b8pj+wtEVhMM1dXepjVgqewc9XKjcw0hGPn5L7Ck4iQtpcoMpUGT96Z0kKULQkmAFrMuWA8CeLrWND1ljHQgcxYJ2eqJ9ciU/Lw8wlqrnfrzQVXBwWWZQW6gROiCY99M3+HnqiKKe2bZMQ+tT4hujUbMZyDQG+8P/pJvjot0+eTN8ITg="],
    "request_header": [
      "user-agent",
      "accept-language",
    ],
    "method": [
      "GET"
    ],
    "path": [
      "/robots.txt",
      "/"
    ],
    "request_origin": [
      "2a03:2880:f800:a::",
      "216.244.66.199"],
    "useragent": [
      "Mozilla/5.0 (Android 14; Mobile; rv:123.0) Gecko/123.0 Firefox/123",
"Mozilla/5.0 (Linux; Android 14; SM-S901B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.280 Mobile Safari/537.36 OPR/80.4.4244.7786",
    ]
  }

raw_data.http.md5

string list

[
	"690e440f039d37e8098f20406f460c11"
]

raw_data.http.cookie_keys

string list

[
  "T",
  "ssiddcsession_ref"
]

raw_data.http.request_authorization

string list

[
	"Digest username=\"dslf-config\", realm=\"HuaweiHomeGateway\", nonce=\"88645cefb1f9ede0e336e3569d75ee30\", uri=\"/ctrlt/DeviceUpgrade_1\", response=\"3612f843a42db38f48f59d2a3597e19c\", algorithm=\"MD5\", qop=\"auth\", nc=00000001, cnonce=\"248d1a2560100669\""
    ]

raw_data.http.request_cookies

string list

[
	"T=bozH7ydpNM81XU0zFLF4FDrSrp2v/1yRS1QFryl9hYaUbLwLcTBP6DEVdfIF7wqpkDxnvY5b8pj+wtEVhMM1dXepjVgqewc9XKjcw0hGPn5L7Ck4iQtpcoMpUGT96Z0kKULQkmAFrMuWA8CeLrWND1ljHQgcxYJ2eqJ9ciU/Lw8wlqrnfrzQVXBwWWZQW6gROiCY99M3+HnqiKKe2bZMQ+tT4hujUbMZyDQG+8P/pJvjot0+eTN8ITg="
]

raw_data.http.request_header

string list

[
  "user-agent",
  "accept-language",
]

raw_data.http.method

string list

[
	"GET"
]

raw_data.http.path

string list

[
	"/favicon.ico"
]

Observed scanning activity traversed this web path.

Sample

raw_data.http.request_origin

[
  "2a03:2880:f800:a::",
  "216.244.66.199"
]

raw_data.http.useragent

string list

[
	"Mozilla/5.0 (compatible; Baiduspider/2.0; +[http://www.baidu.com/search/spider.html](http://www.baidu.com/search/spider.html))"
]

Observed scanning activity used these user agents.

Sample

raw_data.ja3

object list

[
{
"fingerprint": "19e29534fd49dd27d09234e639c4057e",
"port": 8443
}
]

Recorded hashing information for TLS activity observed.

raw_data.ja3.fingerprint

string

19e29534fd49dd27d09234e639c4057e

Recorded fingerprint value for JA3 activity observed.

Sample

raw_data.ja3.port

int

8443

Associated port for TLS activity observed.

Sample

raw_data.scan

object list

[
{
"port": 22,
"protocol": "TCP"
}
]

Recorded port and protocol information for scanning activity observed.

raw_data.scan.port

int

22

Recorded port for scanning activity observed.

Sample

raw_data.scan.protocol

string

TCP

Recorded protocol for scanning activity observed.

Sample

raw_data.source.bytes

int

2224

raw_data.ssh.key

string list

[
     	"AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL1myjWMrndjPuBmq6/VoA56UnDtVw/ViMZQkYYsMbIthGyK6Cg+fMQiVWEx3Va6HTtoveVm9v8nX+EsD5+y90o="
]

raw_data.tls.cipher

string list

[
	"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
	"TLS_AES_128_GCM_SHA256",
	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
]

spoofable

boolean

false

Indicates whether the IP completed a three-way handshake with the GreyNoise sensor network. If false, the traffic may be spoofed.

Sample

tags

object list

[
{
"category": "activity",
"created": "2020-04-07",
"cves": [],
"description": "IP addresses with this tag have been observed scanning the Internet for CGI scripts.",
"id": "feb92353-4264-44ce-8f7d-8ddae93719da",
"intention": "malicious",
"name": "CGI Script Scanner",
"recommend_block": false,
"references": [
"[https://en.wikipedia.org/wiki/Common\_Gateway\_Interface](https://en.wikipedia.org/wiki/Common_Gateway_Interface)"
],
"slug": "cgi-script-scanner",
"updated_at": "2025-05-14T04:12:40.778197Z"
}
]

List of tags associated with this IP and the tags details.

Sample

tags.category

string

activity

Category type for the identified tag.

tags.created_at

date

2020-04-07

Date the tag was added to GreyNoise.

tags.cves

string list

["CVE-1992-2342"]

Any CVEs associated with the behavior detected by the tag.

tags.description

string

This is a tag description.

A brief description of what the tag identifies.

tags.id

string

feb92353-4264-44ce-8f7d-8ddae93719da

The unique id given to the tag.

tags.intention

string

malicious

The identified intention of the activity detected by this tag.

tags.name

string

CGI Script Scanner

The name of the tag.

tags.recommended_block

boolean

false

Indicates if IPs associated with this tag should be blocked.

tags.references

string list

[
"[https://en.wikipedia.org/wiki/Common\_Gateway\_Interface](https://en.wikipedia.org/wiki/Common_Gateway_Interface)"
]

A list of references used to create this tag.

tags.slug

string

cgi-script-scanner

The slug associated with the tag.

tags.updated_at

data

2025-05-14T04:12:40.778197Z

The last time this tag was updated or modified.

tor

boolean

true

Indicates whether the IP is a known Tor exit node.

Sample

vpn

boolean

false

Indicates if the IP is associated with a known VPN service.

Sample

vpn_service

string

PIA_VPN

Name of the VPN service associated with the IP (if applicable).

Sample

Updated 5 days ago