Intelligence Module - Investigate

Data Dictionary: Intelligence Module - Investigate - Entitlements

This outlines the field types associated with the IP and Query endpoint responses that are entitled based on purchasing the Investigate Intelligence Module.

Last Updated: 2025-10-08

Field Name	Field Type	Example	Description	Query Sample
actor	string	unknown	Confirmed owner or operator of the IP address.	Sample
bot	boolean	false	Indicates whether the IP is associated with known bot activity.	Sample
classification	string	unknown	Classification of the IP address. Possible values: benign, unknown, malicious, suspicious.	Sample
cve	string list	`["CVE-2025-12345"]`	Provides a list of CVEs the IP has been observed scanning or exploiting.	Sample
first_seen	date	2021-11-23	Date when the IP was first observed on the GreyNoise sensor network (YYYY-MM-DD format).	Sample
ip	string	1.2.3.4	IP address observed on the GreyNoise sensor network.
last_seen	date	2021-12-31	Date when the IP was most recently observed on the GreyNoise sensor network (YYYY-MM-DD format).	Sample
last_seen_timestamp	string	2021-12-31 05:32:53	Date + Time when the IP was most recently observed on the GreyNoise sensor network (YYYY-MM-DD format).
metadata	object	{ "asn": "AS51747", "category": "hosting", "destination_asns": [ "AS20473", "AS44477" ], "destination_cities": [ "Hong Kong", "Elk Grove Village", "Haarlem" ], "destination_countries": [ "Hong Kong", "Netherlands", "United States" ], "destination_country_codes": [ "HK", "NL", "US" ], "domain": "internetvikings.com", "latitude": 59.3294, "longitude": 18.0687, "mobile": false, "organization": "Internet Vikings International AB", "os": "", "rdns": "", "rdns_parent": "", "region": "Stockholm", "sensor_count": 3, "sensor_hits": 20, "single_destination": false, "source_city": "Stockholm", "source_country": "Sweden", "source_country_code": "SE" }	Additional metadata about the IP address. Items not included in this module will be empty.
metadata.asn	string	AS37963	ASN (Autonomous System Number) associated with the IP address.	Sample
metadata.category	string	hosting	Category of the IP address such as hosting or ISP.	Sample
metadata.destination_asns	string list	`[ "AS20473", "AS44477" ]`	List of ASNs assoictated with sensors that observed scanning traffic from this IP.
metadata.destination_cities	string list	`[ "Hong Kong", "Elk Grove Village", "Haarlem" ]`	List of cities where sensors that observed scanning traffic from this IP are located.
metadata.destination_countries	string list	`['Belarus']`	List of countries where sensors that observed scanning traffic from this IP are located.	Sample
metadata.destination_country_codes	string list	`['BY']`	List of country codes where sensors that observed scanning traffic from this IP are located.	Sample
metadata.domain	string	lionlink.net	Domain associated with the IP ASN owner.	Sample
metadata.mobile	boolean	true	Defines if the IP is part of a known cellular network.	Sample
metadata.organization	string	FranTech Solutions	Organization associated with the IP address.	Sample
metadata.rdns	string	miamitor4.us	rDNS (reverse DNS lookup) value for the IP address.	Sample
metadata.rdns_parent	string	acme.lcl	Parent domain associated with the rDNS value.	Sample
metadata.region	string	Florida	Region (state or province) where the IP address is registered or operates.	Sample
metadata.single_destination	boolean	True	Indicates that the IP only scanned a single destination country.	Sample
metadata.sensor_counts	integer	3	Number of distinct sensors that observed scanning from this IP.
metadata.sensor_hits	integer	20	Number of recorded events on all sensors from this IP.
metadata.source_city	string	Miami	City where the IP address is registered or operates.	Sample
metadata.source_country	string	United States	Country where the IP address is registered or operates.	Sample
metadata.source_country_code	string	US	Country code of the IP address based on ISO 3166-1 alpha-2.	Sample
raw_data	object	`{ "hassh": [], "http": { "md5": [], "cookie_keys": [], "request_authorization": [], "request_cookies": [], "request_header": [], "method": [], "path": [], "request_origin": [], "useragent": [] }, "ja3": [], "scan": [ { "port": 80, "protocol": "tcp" } ], "source": { "bytes": 2224 }, "ssh": { "key": [] }, "tls": { "cipher": [], "ja4": [] } }`	Observed activity from the GreyNoise sensor network. Values not included in this module will be empty.
raw_data.scan	object list	`[ { "port": 22, "protocol": "TCP" } ][ { "port": 22, "protocol": "TCP" } ]`	Recorded port and protocol information for scanning activity observed.
raw_data.scan.port	int	22	Recorded port for scanning activity observed.	Sample
raw_data.scan.protocol	string	TCP	Recorded protocol for scanning activity observed.	Sample
raw_data.source.bytes	int	2224
spoofable	boolean	false	Indicates whether the IP completed a three-way handshake with the GreyNoise sensor network. If true, the traffic may be spoofed.	Sample
tags	object list	[ { "category": "activity", "created": "2020-04-07", "cves": [], "description": "IP addresses with this tag have been observed scanning the Internet for CGI scripts.", "id": "feb92353-4264-44ce-8f7d-8ddae93719da", "intention": "malicious", "name": "CGI Script Scanner", "recommend_block": false, "references": [ "[https://en.wikipedia.org/wiki/Common\_Gateway\_Interface](https://en.wikipedia.org/wiki/Common_Gateway_Interface)" ], "slug": "cgi-script-scanner", "updated_at": "2025-05-14T04:12:40.778197Z" } ]	List of tags associated with this IP and the tags details.	Sample
tags.category	string	activity	Category type for the identified tag.
tags.created_at	date	2020-04-07	Date the tag was added to GreyNoise.
tags.cves	string list	`["CVE-1992-2342"]`	Any CVEs associated with the behavior detected by the tag.
tags.description	string	This is a tag description.	A brief description of what the tag identifies.
tags.id	string	feb92353-4264-44ce-8f7d-8ddae93719da	The unique id given to the tag.
tags.intention	string	malicious	The identified intention of the activity detected by this tag.
tags.name	string	CGI Script Scanner	The name of the tag.
tags.recommended_block	boolean	false	Indicates if IPs associated with this tag should be blocked.
tags.references	string list	`[ "[https://en.wikipedia.org/wiki/Common\_Gateway\_Interface](https://en.wikipedia.org/wiki/Common_Gateway_Interface)" ]`	A list of references used to create this tag.
tags.slug	string	cgi-script-scanner	The slug associated with the tag.
tags.updated_at	data	2025-05-14T04:12:40.778197Z	The last time this tag was updated or modified.
tor	boolean	true	Indicates whether the IP is a known Tor exit node.	Sample
vpn	boolean	false	Indicates if the IP is associated with a known VPN service.	Sample
vpn_service	string	PIA_VPN	Name of the VPN service associated with the IP (if applicable).	Sample

These additional fields are available through the CVE API:

Field Name	Field Type	Example	Description
id	string	CVE-2024-12345	The CVE ID.
details	object	{ "vulnerability_name": "Acme Inc Expoilt Attempt", "vulnerability_description": "Potentially allowing Acme Inc to exploit anvil drop on new users.", "cve_cvss_score": 4.5, "product": "Acme Inc", "vendor": "Anvil Drop", "published_to_nist_nvd": true }	Basic CVE details, including CVSS score (Common Vulnerability Scoring System), associated products & vendors, and NIST CVE recognition status.
details.vulnerability_name	string	Acme Inc Expoilt Attempt	Name of the vulnerability.
details.vulnerability_description	string	Potentially allowing Acme Inc to exploit anvil drop on new users."	Description of the vulnerability.
details.cve_cvss_score	float	4.5	Current CVSS score (Common Vulnerability Scoring System).
details.product	string	Acme Inc	Product(s) associated with the CVE.
details.vendor	string	Anvil Drop	Vendor(s) associated with the CVE.
details.published_to_nist_nvd	boolean	true	Whether this CVE is recognized by NIST.
timeline	object	{ "cve_published_date": "2024-05-28T19:15:10.060", "cve_last_updated_date": "2024-05-31T16:04:09.703", "first_known_published_date": "2024-05-27T00:00:00Z", "cisa_kev_date_added": "2024-05-30T00:00:00Z" }	Key timeline details about when the CVE was published, updated, and added to CISA (https://www.cisa.gov/known-exploited-vulnerabilities-catalog).
timeline.cve_published_date	datetime	2024-05-28T19:15:10.060	Date when the CVE was published by NVD.
timeline.cve_last_updated_date	datetime	2024-05-31T16:04:09.703	Date when the CVE record was last updated.
timeline.first_known_published_date	datetime	2024-05-27T00:00:00Z	Date when the first exploit associated with the CVE was published.
timeline.cisa_kev_date_added	datetime	2024-05-30T00:00:00Z	Date CISA (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) added a KEV (Known Exploited Vulnerability) entry associated with the CVE.
exploitation_details	object	{ "attack_vector": "NETWORK", "exploit_found": true, "exploitation_registered_in_kev": true, "epss_score": 0.94504 }	Exploitation-related details pertaining to attack vector category, EPSS score (Exploit Prediction Scoring System), available exploits, and KEV (Known Exploited Vulnerabilities) registration.
exploitation_details.attack_vector	string	NETWORK	Attack vector category.
exploitation_details.exploit_found	boolean	true	Whether any known exploits are available.
exploitation_details.exploitation_registered_in_kev	boolean	true	Whether exploitation has been registered in the KEV (Known Exploited Vulnerabilities) database.
exploitation_details.epss_score	float	0.94504	EPSS score (Exploit Prediction Scoring System) associated with the exploitation.
exploitation_stats	object	{ "number_of_available_exploits": 60, "number_of_threat_actors_exploiting_vulnerability": 1, "number_of_botnets_exploiting_vulnerability": 0 }	Statistical data about exploitation, including number of exploits available, and number of threat actors and botnets exploiting the vulnerability.
exploitation_stats.number_of_available_exploits	integer	60	Total number of exploits available (public + commercial).
exploitation_stats.number_of_threat_actors_exploiting_vulnerability	integer	1	Total number of known threat actors exploiting the vulnerability.
exploitation_stats.number_of_botnets_exploiting_vulnerability	integer	0	Total number of botnets exploiting the vulnerability.
exploitation_activity	object	{ "activity_seen": true, "benign_ip_count_1d": 765, "benign_ip_count_10d": 765, "benign_ip_count_30d": 765, "threat_ip_count_1d": 0, "threat_ip_count_10d": 1, "threat_ip_count_30d": 14 }	Observed IPs scanning or exploiting the vulnerability today, in the last 10 days, and the last 30 days.
exploitation_activity.activity_seen	boolean	true	Whether GreyNoise has observed activity related to this CVE.
exploitation_activity.benign_ip_count_1d	integer	765	Total number of benign IPs GreyNoise observed scanning or exploiting this vulnerability today.
exploitation_activity.benign_ip_count_10d	integer	765	Total number of benign IPs GreyNoise observed scanning or exploiting this vulnerability in the last 10 days.
exploitation_activity.benign_ip_count_30d	integer	765	Total number of benign IPs GreyNoise observed scanning or exploiting this vulnerability in the last 30 days.
exploitation_activity.threat_ip_count_1d	integer	0	Total number of threat IPs GreyNoise observed scanning or exploiting this vulnerability today.
exploitation_activity.threat_ip_count_10d	integer	1	Total number of threat IPs GreyNoise observed scanning or exploiting this vulnerability in the last 10 days.
exploitation_activity.threat_ip_count_30d	integer	14	Total number of threat IPs GreyNoise observed scanning or exploiting this vulnerability in the last 30 days.