Intelligence Module - Hunt
Data Dictionary: Intelligence Module - Hunt - Entitlements
This outlines the field types associated with the IP and Query endpoint responses that are entitled based on purchasing the Hunt Intelligence Module.
Last Updated: 2025-10-08
| Field Name | Field Type | Example | Description | Query Sample |
|---|---|---|---|---|
| actor | string | unknown | Confirmed owner or operator of the IP address. | Sample |
| bot | boolean | false | Indicates whether the IP is associated with known bot activity. | Sample |
| classification | string | unknown | Classification of the IP address. Possible values: benign, unknown, malicious, suspicious. | Sample |
| cve | string list | ["CVE-2025-12345"] | Provides a list of CVEs the IP has been observed scanning or exploiting. | Sample |
| first_seen | date | 2021-11-23 | Date when the IP was first observed on the GreyNoise sensor network (YYYY-MM-DD format). | Sample |
| ip | string | 1.2.3.4 | IP address observed on the GreyNoise sensor network. | |
| last_seen | date | 2021-12-31 | Date when the IP was most recently observed on the GreyNoise sensor network (YYYY-MM-DD format). | Sample |
| last_seen_timestamp | string | 2021-12-31 05:32:53 | Date + Time when the IP was most recently observed on the GreyNoise sensor network (YYYY-MM-DD format). | |
| metadata | object | {"asn": "AS51747", "category": "hosting", "destination_asns": [...], ...} | Additional metadata about the IP address. Items not included in this module will be empty. | |
| metadata.asn | string | AS37963 | ASN (Autonomous System Number) associated with the IP address. | Sample |
| metadata.category | string | hosting | Category of the IP address such as hosting or ISP. | Sample |
| metadata.destination_asns | string list | ["AS20473", "AS44477"] | List of ASNs assoictated with sensors that observed scanning traffic from this IP. | |
| metadata.destination_cities | string list | ["Hong Kong", "Elk Grove Village", "Haarlem"] | List of cities where sensors that observed scanning traffic from this IP are located. | |
| metadata.destination_countries | string list | ['Belarus'] | List of countries where sensors that observed scanning traffic from this IP are located. | Sample |
| metadata.destination_country_codes | string list | ['BY'] | List of country codes where sensors that observed scanning traffic from this IP are located. | Sample |
| metadata.domain | string | lionlink.net | Domain associated with the IP ASN owner. | Sample |
| metadata.mobile | boolean | true | Defines if the IP is part of a known cellular network. | Sample |
| metadata.organization | string | FranTech Solutions | Organization associated with the IP address. | Sample |
| metadata.os | string | Windows XP | Operating system associated with the IP address. | Sample |
| metadata.rdns | string | miamitor4.us | rDNS (reverse DNS lookup) value for the IP address. | Sample |
| metadata.rdns_parent | string | acme.lcl | Parent domain associated with the rDNS value. | Sample |
| metadata.region | string | Florida | Region (state or province) where the IP address is registered or operates. | Sample |
| metadata.single_destination | boolean | True | Indicates that the IP only scanned a single destination country. | Sample |
| metadata.sensor_counts | integer | 3 | Number of distinct sensors that observed scanning from this IP. | |
| metadata.sensor_hits | integer | 20 | Number of recorded events on all sensors from this IP. | |
| metadata.source_city | string | Miami | City where the IP address is registered or operates. | Sample |
| metadata.source_country | string | United States | Country where the IP address is registered or operates. | Sample |
| metadata.source_country_code | string | US | Country code of the IP address based on ISO 3166-1 alpha-2. | Sample |
| raw_data | object | {"hassh": [...], "http": {...}, "ja3": [...], "scan": [...], "source": {...}, "ssh": {...}, "tls": {...}} | Observed activity from the GreyNoise sensor network. Values not included in this module will be empty. | |
| raw_data.hassh | object list | [{"fingerprint": "acaa53e0a7d7ac7d1255103f37901306", "port": 2222}] | Recorded hashing information for SSH activity observed. | |
| raw_data.hassh.fingerprint | string | a7a87fbe86774c2e40cc4a7ea2ab1b3c | Recorded fingerprint value for SSH activity observed. | Sample |
| raw_data.hassh.port | string | 22 | Associated port for SSH activity observed. | Sample |
| raw_data.http | object | {"md5": [...], "cookie_keys": [...], "request_authorization": [...], "request_cookies": [...], "request_header": [...], "method": [...], "path": [...], "request_origin": [...], "useragent": [...]} | ||
| raw_data.http.md5 | string list | ["690e440f039d37e8098f20406f460c11"] | ||
| raw_data.http.cookie_keys | string list | ["T", "ssiddcsession_ref"] | ||
| raw_data.http.request_authorization | string list | ["Digest username=\"dslf-config\", realm=\"HuaweiHomeGateway\", nonce=\"88645cefb1f9ede0e336e3569d75ee30\", uri=\"/ctrlt/DeviceUpgrade_1\", response=\"3612f843a42db38f48f59d2a3597e19c\", algorithm=\"MD5\", qop=\"auth\", nc=00000001, cnonce=\"248d1a2560100669\""] | ||
| raw_data.http.request_cookies | string list | ["T=bozH7ydpNM81XU0zFLF4FDrSrp2v/1yRS1QFryl9hYaUbLwLcTBP6DEVdfIF7wqpkDxnvY5b8pj+wtEVhMM1dXepjVgqewc9XKjcw0hGPn5L7Ck4iQtpcoMpUGT96Z0kKULQkmAFrMuWA8CeLrWND1ljHQgcxYJ2eqJ9ciU/Lw8wlqrnfrzQVXBwWWZQW6gROiCY99M3+HnqiKKe2bZMQ+tT4hujUbMZyDQG+8P/pJvjot0+eTN8ITg="] | ||
| raw_data.http.request_header | string list | ["user-agent", "accept-language"] | ||
| raw_data.http.method | string list | ["GET"] | ||
| raw_data.http.path | string list | ["/favicon.ico"] | Observed scanning activity traversed this web path. | Sample |
| raw_data.http.request_origin | ["2a03:2880:f800:a::", "216.244.66.199"] | |||
| raw_data.http.useragent | string list | ["Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"] | Observed scanning activity used these user agents. | Sample |
| raw_data.http.ja4h | string list | ["ge11cn060000_4e59edc1297a_4da5efaf0cbd"] | Returns all devices with a matching JA4H HTTP fingerprint | Sample |
| raw_data.ja3 | object list | [{"fingerprint": "19e29534fd49dd27d09234e639c4057e", "port": 8443}] | Recorded hashing information for TLS activity observed. | |
| raw_data.ja3.fingerprint | string | 19e29534fd49dd27d09234e639c4057e | Recorded fingerprint value for JA3 activity observed. | Sample |
| raw_data.ja3.port | int | 8443 | Associated port for TLS activity observed. | Sample |
| raw_data.scan | object list | [{"port": 22, "protocol": "TCP"}] | Recorded port and protocol information for scanning activity observed. | |
| raw_data.scan.port | int | 22 | Recorded port for scanning activity observed. | Sample |
| raw_data.scan.protocol | string | TCP | Recorded protocol for scanning activity observed. | Sample |
| raw_data.source.bytes | int | 2224 | ||
| raw_data.ssh.key | string list | ["AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL1myjWMrndjPuBmq6/VoA56UnDtVw/ViMZQkYYsMbIthGyK6Cg+fMQiVWEx3Va6HTtoveVm9v8nX+EsD5+y90o="] | ||
| raw_data.ssh.ja4ssh | string list | ["c76s76_c71s59_c0s0"] | Returns all devices with a matching JA4SSH fingerprint | Sample |
| raw_data.tcp.ja4l | string list | ["1460_64"] | Returns all devices with a matching JA4L light distance/latency fingerprint | Sample |
| raw_data.tcp.ja4t | string list | ["64240_2-1-3-1-1-4_1460_8"] | Returns all devices with a matching JA4T TCP fingerprint | Sample |
| raw_data.tls.cipher | string list | ["TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"] | ||
| raw_data.tls.ja4 | string list | ["t12i060100_eca7c5d91837_338aad02a631", "t13i871000_72303a6ce03a_24695f2957a7"] | ||
| spoofable | boolean | false | Indicates whether the IP completed a three-way handshake with the GreyNoise sensor network. If true, the traffic may be spoofed. | Sample |
| tags | object list | [{"category": "activity", "created": "2020-04-07", "cves": [], "description": "...", "id": "...", "intention": "malicious", "name": "CGI Script Scanner", "recommend_block": false, "references": [...], "slug": "cgi-script-scanner", "updated_at": "2025-05-14T04:12:40.778197Z"}] | List of tags associated with this IP and the tags details. | Sample |
| tags.category | string | activity | Category type for the identified tag. | |
| tags.created_at | date | 2020-04-07 | Date the tag was added to GreyNoise. | |
| tags.cves | string list | ["CVE-1992-2342"] | Any CVEs associated with the behavior detected by the tag. | |
| tags.description | string | This is a tag description. | A brief description of what the tag identifies. | |
| tags.id | string | feb92353-4264-44ce-8f7d-8ddae93719da | The unique id given to the tag. | |
| tags.intention | string | malicious | The identified intention of the activity detected by this tag. | |
| tags.name | string | CGI Script Scanner | The name of the tag. | |
| tags.recommended_block | boolean | false | Indicates if IPs associated with this tag should be blocked. | |
| tags.references | string list | ["https://en.wikipedia.org/wiki/Common_Gateway_Interface"] | A list of references used to create this tag. | |
| tags.slug | string | cgi-script-scanner | The slug associated with the tag. | |
| tags.updated_at | data | 2025-05-14T04:12:40.778197Z | The last time this tag was updated or modified. | |
| tor | boolean | true | Indicates whether the IP is a known Tor exit node. | Sample |
| vpn | boolean | false | Indicates if the IP is associated with a known VPN service. | Sample |
| vpn_service | string | PIA_VPN | Name of the VPN service associated with the IP (if applicable). | Sample |
These additional fields are available through the CVE API:
| Field Name | Field Type | Example | Description |
|---|---|---|---|
| id | string | CVE-2024-12345 | The CVE ID. |
| details | object | {"vulnerability_name": "Acme Inc Expoilt Attempt", "vulnerability_description": "Potentially allowing Acme Inc to exploit anvil drop on new users.", "cve_cvss_score": 4.5, "product": "Acme Inc", "vendor": "Anvil Drop", "published_to_nist_nvd": true} | Basic CVE details, including CVSS score (Common Vulnerability Scoring System), associated products & vendors, and NIST CVE recognition status. |
| details.vulnerability_name | string | Acme Inc Expoilt Attempt | Name of the vulnerability. |
| details.vulnerability_description | string | Potentially allowing Acme Inc to exploit anvil drop on new users." | Description of the vulnerability. |
| details.cve_cvss_score | float | 4.5 | Current CVSS score (Common Vulnerability Scoring System). |
| details.product | string | Acme Inc | Product(s) associated with the CVE. |
| details.vendor | string | Anvil Drop | Vendor(s) associated with the CVE. |
| details.published_to_nist_nvd | boolean | true | Whether this CVE is recognized by NIST. |
| timeline | object | {"cve_published_date": "2024-05-28T19:15:10.060", "cve_last_updated_date": "2024-05-31T16:04:09.703", "first_known_published_date": "2024-05-27T00:00:00Z", "cisa_kev_date_added": "2024-05-30T00:00:00Z"} | Key timeline details about when the CVE was published, updated, and added to CISA (https://www.cisa.gov/known-exploited-vulnerabilities-catalog). |
| timeline.cve_published_date | datetime | 2024-05-28T19:15:10.060 | Date when the CVE was published by NVD. |
| timeline.cve_last_updated_date | datetime | 2024-05-31T16:04:09.703 | Date when the CVE record was last updated. |
| timeline.first_known_published_date | datetime | 2024-05-27T00:00:00Z | Date when the first exploit associated with the CVE was published. |
| timeline.cisa_kev_date_added | datetime | 2024-05-30T00:00:00Z | Date CISA (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) added a KEV (Known Exploited Vulnerability) entry associated with the CVE. |
| exploitation_details | object | {"attack_vector": "NETWORK", "exploit_found": true, "exploitation_registered_in_kev": true, "epss_score": 0.94504} | Exploitation-related details pertaining to attack vector category, EPSS score (Exploit Prediction Scoring System), available exploits, and KEV (Known Exploited Vulnerabilities) registration. |
| exploitation_details.attack_vector | string | NETWORK | Attack vector category. |
| exploitation_details.exploit_found | boolean | true | Whether any known exploits are available. |
| exploitation_details.exploitation_registered_in_kev | boolean | true | Whether exploitation has been registered in the KEV (Known Exploited Vulnerabilities) database. |
| exploitation_details.epss_score | float | 0.94504 | EPSS score (Exploit Prediction Scoring System) associated with the exploitation. |
| exploitation_stats | object | {"number_of_available_exploits": 60, "number_of_threat_actors_exploiting_vulnerability": 1, "number_of_botnets_exploiting_vulnerability": 0} | Statistical data about exploitation, including number of exploits available, and number of threat actors and botnets exploiting the vulnerability. |
| exploitation_stats.number_of_available_exploits | integer | 60 | Total number of exploits available (public + commercial). |
| exploitation_stats.number_of_threat_actors_exploiting_vulnerability | integer | 1 | Total number of known threat actors exploiting the vulnerability. |
| exploitation_stats.number_of_botnets_exploiting_vulnerability | integer | 0 | Total number of botnets exploiting the vulnerability. |
| exploitation_activity | object | {"activity_seen": true, "benign_ip_count_1d": 765, "benign_ip_count_10d": 765, "benign_ip_count_30d": 765, "threat_ip_count_1d": 0, "threat_ip_count_10d": 1, "threat_ip_count_30d": 14} | Observed IPs scanning or exploiting the vulnerability today, in the last 10 days, and the last 30 days. |
| exploitation_activity.activity_seen | boolean | true | Whether GreyNoise has observed activity related to this CVE. |
| exploitation_activity.benign_ip_count_1d | integer | 765 | Total number of benign IPs GreyNoise observed scanning or exploiting this vulnerability today. |
| exploitation_activity.benign_ip_count_10d | integer | 765 | Total number of benign IPs GreyNoise observed scanning or exploiting this vulnerability in the last 10 days. |
| exploitation_activity.benign_ip_count_30d | integer | 765 | Total number of benign IPs GreyNoise observed scanning or exploiting this vulnerability in the last 30 days. |
| exploitation_activity.threat_ip_count_1d | integer | 0 | Total number of threat IPs GreyNoise observed scanning or exploiting this vulnerability today. |
| exploitation_activity.threat_ip_count_10d | integer | 1 | Total number of threat IPs GreyNoise observed scanning or exploiting this vulnerability in the last 10 days. |
| exploitation_activity.threat_ip_count_30d | integer | 14 | Total number of threat IPs GreyNoise observed scanning or exploiting this vulnerability in the last 30 days. |
Updated 12 days ago