Intelligence Module

Data Dictionary: Intelligence Module - Triage - Entitlements

This outlines the field types associated with the IP and Query endpoint responses that are entitled based on purchasing the Triage Intelligence Module.

Last Updated: 2025-10-08

Field Name	Field Type	Example	Description	Query Sample
actor	string	unknown	Confirmed owner or operator of the IP address.	Sample
bot	boolean	false	Indicates whether the IP is associated with known bot activity.	Sample
classification	string	unknown	Classification of the IP address. Possible values: benign, unknown, malicious, suspicious.	Sample
ip	string	1.2.3.4	IP address observed on the GreyNoise sensor network.
last_seen	date	2021-12-31	Date when the IP was most recently observed on the GreyNoise sensor network (YYYY-MM-DD format).	Sample
last_seen_timestamp	string	2021-12-31 05:32:53	Date + Time when the IP was most recently observed on the GreyNoise sensor network (YYYY-MM-DD format).
metadata	object	`{ "asn": "AS6142", "category": "hosting", "destination_asns": [], "destination_cities": [], "destination_countries": [ "Brazil" ], "destination_country_codes": [ "BR" ], "domain": "oracle.com", "latitude": 0, "longitude": 0, "mobile": false, "organization": "Oracle Corporation", "os": "", "rdns": "", "rdns_parent": "", "region": "Arizona", "sensor_count": 0, "sensor_hits": 0, "single_destination": true, "source_city": "Phoenix", "source_country": "United States", "source_country_code": "US" }`	Additional metadata about the IP address. Items not included in this module will be empty.
metadata.asn	string	AS37963	ASN (Autonomous System Number) associated with the IP address.	Sample
metadata.category	string	hosting	Category of the IP address such as hosting or ISP.	Sample
metadata.destination_countries	string list	`['Belarus']`	List of countries where sensors that observed scanning traffic from this IP are located.	Sample
metadata.destination_country_codes	string list	`['BY']`	List of country codes where sensors that observed scanning traffic from this IP are located.	Sample
metadata.domain	string	lionlink.net	Domain associated with the IP ASN owner.	Sample
metadata.mobile	boolean	true	Defines if the IP is part of a known cellular network.	Sample
metadata.organization	string	FranTech Solutions	Organization associated with the IP address.	Sample
metadata.rdns	string	miamitor4.us	rDNS (reverse DNS lookup) value for the IP address.	Sample
metadata.rdns_parent	string	acme.lcl	Parent domain associated with the rDNS value.	Sample
metadata.region	string	Florida	Region (state or province) where the IP address is registered or operates.	Sample
metadata.single_destination	boolean	True	Indicates that the IP only scanned a single destination country.	Sample
metadata.source_city	string	Miami	City where the IP address is registered or operates.	Sample
metadata.source_country	string	United States	Country where the IP address is registered or operates.	Sample
metadata.source_country_code	string	US	Country code of the IP address based on ISO 3166-1 alpha-2.	Sample
spoofable	boolean	false	Indicates whether the IP completed a three-way handshake with the GreyNoise sensor network. If true, the traffic may be spoofed.	Sample
tags	object list	[ \{ "category": "activity", "created": "2020-04-07", "cves": [], "description": "IP addresses with this tag have been observed scanning the Internet for CGI scripts.", "id": "feb92353-4264-44ce-8f7d-8ddae93719da", "intention": "malicious", "name": "CGI Script Scanner", "recommend_block": false, "references": [ "[https://en.wikipedia.org/wiki/Common\_Gateway\_Interface](https://en.wikipedia.org/wiki/Common_Gateway_Interface)" ], "slug": "cgi-script-scanner", "updated_at": "2025-05-14T04:12:40.778197Z" } ]	List of tags associated with this IP and the tags details.	Sample
tags.category	string	activity	Category type for the identified tag.
tags.created_at	date	2020-04-07	Date the tag was added to GreyNoise.
tags.cves	string list	`["CVE-1992-2342"]`	Any CVEs associated with the behavior detected by the tag.
tags.description	string	This is a tag description.	A brief description of what the tag identifies.
tags.id	string	feb92353-4264-44ce-8f7d-8ddae93719da	The unique id given to the tag.
tags.intention	string	malicious	The identified intention of the activity detected by this tag.
tags.name	string	CGI Script Scanner	The name of the tag.
tags.recommended_block	boolean	false	Indicates if IPs associated with this tag should be blocked.
tags.references	string list	`[ "[https://en.wikipedia.org/wiki/Common\_Gateway\_Interface](https://en.wikipedia.org/wiki/Common_Gateway_Interface)" ]`	A list of references used to create this tag.
tags.slug	string	cgi-script-scanner	The slug associated with the tag.
tags.updated_at	data	2025-05-14T04:12:40.778197Z	The last time this tag was updated or modified.
tor	boolean	true	Indicates whether the IP is a known Tor exit node.	Sample
vpn	boolean	false	Indicates if the IP is associated with a known VPN service.	Sample
vpn_service	string	PIA_VPN	Name of the VPN service associated with the IP (if applicable).	Sample