Noise Response
Data Dictionary: Noise Response
This outlines the field types associated with the Noise IP Lookup and Multi-Lookup Endpoints and the Individual IP responses in the GNQL Endpoint.
| Field Name | Field Type | Example | Description |
|---|---|---|---|
| actor | string | unknown | The confirmed owner/operator of this IP address. |
| bot | boolean | false | Data Enrichment - IP is associated with known bot activity. |
| classification | string | unknown | IP Classification - possible options: benign, unknown, malicious |
| cve | string list | [ "CVE-2021-38645", "CVE-2021-38647" ] | List of CVEs the IP has been observed scanning for or exploiting |
| first_seen | date | 2021-11-23 | Date of first observed behavior on the GreyNoise Sensor network (format: YYYY-MM-DD) |
| ip | string | 1.2.3.4 | IP address that information is about |
| last_seen | date | 2021-12-31 | Date of last observed behavior on the GreyNoise Sensor network (format: YYYY-MM-DD) |
| metadata | object | { 'asn': 'AS18881', 'city': 'Brasília', 'country': 'Brazil', 'country_code': 'BR', 'organization': 'Acme Inc', 'category': 'isp', 'tor': False, 'rdns': 'scanner.acme.inc', 'os': 'unknown', 'sensor_hits': 214, 'sensor_count': 20, 'region': 'Federal District', 'destination_countries': ['Belarus'], 'destination_country_codes': ['BY'], 'source_country': 'Brazil', 'source_country_code': 'BR' } | Data Enrichment - Additional IP metadata |
| metadata.asn | string | AS37963 | Data Enrichment - IPs attached ASN |
| metadata.category | string | hosting | Data Enrichment - IPs attached category |
| metadata.city | string | Miami | Data Enrichment - IPs attached city |
| metadata.country OR metadata.source_country | string | United States | Data Enrichment - IPs attached country |
| metadata.country_code OR metada.source_country_code | string | US | Data Enrichment - IPs attached county code |
| metadata.destination_countries | string list | ['Belarus'] | List of Countries where Sensors that received scanning traffic are located |
| metadata.destination_country_codes | string list | ['BY'] | List of Country Codes where Sensors that received scanning traffic are located |
| metadata.organization | string | FranTech Solutions | Data Enrichment - IPs attached organization |
| metadata.os | string | Linux 2.2-3.x | Data Enrichment - IPs attached operating system |
| metadata.sensor_hits | int | 210 | Number of scanning events observed |
| metadata.sensor_count | int | 20 | Number of sensor events were observed on |
| metadata.rdns | string | miamitor4.us | Data Enrichment - rDNS lookup for IP |
| metadata.region | string | Florida | Data Enrichment - IPs attached region |
| metadata.tor | boolean | true | Data Enrichment - IP is a known tor exit node |
| raw_data | object | { "hassh": [ { "fingerprint": "a7a87fbe86774c2e40cc4a7ea2ab1b3c", "port": 22 } ], "ja3": [ { "fingerprint": "19e29534fd49dd27d09234e639c4057e", "port": 8443 } ], "scan": [ { "port": 22, "protocol": "TCP" } ], "web": { "paths": [ "/favicon.ico" ], "useragents": [ "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" ] } } | Observed Activity captured by the GreyNoise sensor network |
| raw_data.hassh | object list | [ { "fingerprint": "a7a87fbe86774c2e40cc4a7ea2ab1b3c", "port": 22 } ] | Observed HAASH activity |
| raw_data.hassh.fingerprint | string | a7a87fbe86774c2e40cc4a7ea2ab1b3c | HASSH Fingerprint captured |
| raw_data.hassh.port | string | 22 | Port observed activity occurred on |
| raw_data.ja3 | object list | [ { "fingerprint": "19e29534fd49dd27d09234e639c4057e", "port": 8443 } ] | Observed JA3 activity |
| raw_data.ja3.fingerprint | string | 19e29534fd49dd27d09234e639c4057e | JA3 Fingerprint captured |
| raw_data.ja3.port | int | 8443 | Port observed activity occurred on |
| raw_data.scan | object list | [ { "port": 22, "protocol": "TCP" } ] | |
| raw_data.scan.port | int | 22 | Port observed activity occurred on |
| raw_data.scan.protocol | string | TCP | Protocol observed activity occurred on |
| raw_data.web | object | { "paths": [ "/favicon.ico" ], "useragents": [ "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" ] } | Observed scanning activity occurred with these web objects |
| raw_data.web.paths | string list | [ "/favicon.ico" ] | Observed scanning activity traversed this web path |
| raw_data.web.useragents | string list | [ "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" ] | Observed scanning activity used these user agents |
| seen | boolean | true | This IP was observed scanning the GreyNoise sensor network. May also be referenced as "noise" but serves the same purpose. |
| spoofable | boolean | false | Did this IP complete a three-way handshake with the GreyNoise sensor network? If false, indicates that traffic may be spoofed. |
| tags | string list | [ "Carries HTTP Referer", "Cobalt Strike SSH Client", "Follows HTTP Redirects" ] | List of GreyNoise tags associated with the observed scanning behavior performed by this IP |
| vpn | boolean | false | Data Enrichment - IP is a known VPN service IP |
| vpn_service | string | PIA_VPN | If IP is a known VPN, the name of the associated VPN Service |
Updated over 1 year ago