Noise Response

Data Dictionary: Noise Response

This outlines the field types associated with the Noise IP Lookup and Multi-Lookup Endpoints and the Individual IP responses in the GNQL Endpoint.

Field NameField TypeExampleDescription
actorstringunknownThe confirmed owner/operator of this IP address.
botbooleanfalseData Enrichment - IP is associated with known bot activity.
classificationstringunknownIP Classification - possible options: benign, unknown, malicious
cvestring list[
"CVE-2021-38645",
"CVE-2021-38647"
]
List of CVEs the IP has been observed scanning for or exploiting
first_seendate2021-11-23Date of first observed behavior on the GreyNoise Sensor network (format: YYYY-MM-DD)
ipstring1.2.3.4IP address that information is about
last_seendate2021-12-31Date of last observed behavior on the GreyNoise Sensor network (format: YYYY-MM-DD)
metadataobject{
'asn': 'AS18881',
'city': 'Brasília',
'country': 'Brazil',
'country_code': 'BR',
'organization': 'Acme Inc',
'category': 'isp',
'tor': False,
'rdns': 'scanner.acme.inc',
'os': 'unknown',
'sensor_hits': 214,
'sensor_count': 20,
'region': 'Federal District',
'destination_countries': ['Belarus'],
'destination_country_codes': ['BY'],
'source_country': 'Brazil',
'source_country_code': 'BR'
}
Data Enrichment - Additional IP metadata
metadata.asnstringAS37963Data Enrichment - IPs attached ASN
metadata.categorystringhostingData Enrichment - IPs attached category
metadata.citystringMiamiData Enrichment - IPs attached city
metadata.country OR metadata.source_countrystringUnited StatesData Enrichment - IPs attached country
metadata.country_code OR metada.source_country_codestringUSData Enrichment - IPs attached county code
metadata.destination_countriesstring list['Belarus']List of Countries where Sensors that received scanning traffic are located
metadata.destination_country_codesstring list['BY']List of Country Codes where Sensors that received scanning traffic are located
metadata.organizationstringFranTech SolutionsData Enrichment - IPs attached organization
metadata.osstringLinux 2.2-3.xData Enrichment - IPs attached operating system
metadata.sensor_hitsint210Number of scanning events observed
metadata.sensor_countint20Number of sensor events were observed on
metadata.rdnsstringmiamitor4.usData Enrichment - rDNS lookup for IP
metadata.regionstringFloridaData Enrichment - IPs attached region
metadata.torbooleantrueData Enrichment - IP is a known tor exit node
raw_dataobject{
"hassh": [
{
"fingerprint": "a7a87fbe86774c2e40cc4a7ea2ab1b3c",
"port": 22
}
],
"ja3": [
{
"fingerprint": "19e29534fd49dd27d09234e639c4057e",
"port": 8443
}
],
"scan": [
{
"port": 22,
"protocol": "TCP"
}
],
"web": {
"paths": [
"/favicon.ico"
],
"useragents": [
"Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
]
}
}
Observed Activity captured by the GreyNoise sensor network
raw_data.hasshobject list[
{
"fingerprint": "a7a87fbe86774c2e40cc4a7ea2ab1b3c",
"port": 22
}
]
Observed HAASH activity
raw_data.hassh.fingerprintstringa7a87fbe86774c2e40cc4a7ea2ab1b3cHASSH Fingerprint captured
raw_data.hassh.portstring22Port observed activity occurred on
raw_data.ja3object list[
{
"fingerprint": "19e29534fd49dd27d09234e639c4057e",
"port": 8443
}
]
Observed JA3 activity
raw_data.ja3.fingerprintstring19e29534fd49dd27d09234e639c4057eJA3 Fingerprint captured
raw_data.ja3.portint8443Port observed activity occurred on
raw_data.scanobject list[
{
"port": 22,
"protocol": "TCP"
}
]
raw_data.scan.portint22Port observed activity occurred on
raw_data.scan.protocolstringTCPProtocol observed activity occurred on
raw_data.webobject{
"paths": [
"/favicon.ico"
],
"useragents": [
"Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
]
}
Observed scanning activity occurred with these web objects
raw_data.web.pathsstring list[
"/favicon.ico"
]
Observed scanning activity traversed this web path
raw_data.web.useragentsstring list[
"Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
]
Observed scanning activity used these user agents
seenbooleantrueThis IP was observed scanning the GreyNoise sensor network. May also be referenced as "noise" but serves the same purpose.
spoofablebooleanfalseDid this IP complete a three-way handshake with the GreyNoise sensor network? If false, indicates that traffic may be spoofed.
tagsstring list[
"Carries HTTP Referer",
"Cobalt Strike SSH Client",
"Follows HTTP Redirects"
]
List of GreyNoise tags associated with the observed scanning behavior performed by this IP
vpnbooleanfalseData Enrichment - IP is a known VPN service IP
vpn_servicestringPIA_VPNIf IP is a known VPN, the name of the associated VPN Service