Understanding RIOT

What is RIOT?

RIOT is a new GreyNoise feature that informs users about IPs used by common business services that are almost certainly not attacking you. Traditional threat intelligence feeds make an effort to enumerate the locations where the bad guys may be - RIOT is the exact opposite. RIOT enables security practitioners to quickly eliminate logs and events generated from common businesses services from their security telemetry; to quickly rule them out.

Why does RIOT exist?

There are countless security products telling you where the threats are and remarkably few products telling you where the threats probably are not. This product is aimed towards helping analysts become more efficient. RIOT allows an analyst to quickly ask the question “what would this log file look like without all of the noise?”.

How did we create RIOT?

RIOT tracks the IP space of common business services such as CDNs, update servers, public DNS and NTP services, SaaS APIs, and cloud security products. Our engineering and research teams have implemented a number of tactics and methods to acquire, track, curate, and age-off RIOT data over time.

What is RIOT not?

RIOT is not a safe list or allow list and should not be used as a network Access Control List. RIOT is not completely conclusive and will be continuously updated over time. RIOT is not a silver bullet and the networks we report as benign could potentially be compromised by a sufficiently advanced attacker. RIOT is not an IP enrichment service that aims to provide geo location or organizational ownership for all IPs (only ones that we determine are more than likely not dangerous).

RIOT Trust Levels

RIOT data is separated into two trust levels: Level 1 and Level 2. Trust Levels within the GreyNoise RIOT dataset help to provide analysts with context about how much they can trust an IP address, knowing which business service it belongs to. You can read more details here.

RIOT Responses in API

Enterprise RIOT API

{
  "ip": "8.8.8.8",
  "riot": true,
  "category": "public_dns",
  "name": "Google Public DNS",
  "description": "Google's global domain name system (DNS) resolution service.",
  "explanation": "Public DNS services are used as alternatives to ISP's name servers. You may see devices on your network communicating with Google Public DNS over port 53/TCP or 53/UDP to resolve DNS lookups.",
  "last_updated": "2022-03-30T14:59:30Z",
  "logo_url": "https://upload.wikimedia.org/wikipedia/commons/2/2f/Google_2015_logo.svg",
  "reference": "https://developers.google.com/speed/public-dns/docs/isp#alternative",
  "trust_level": "1"
}

Community API

{
  "ip": "8.8.8.8",
  "noise": false,
  "riot": true,
  "classification": "benign",
  "name": "Google Public DNS",
  "link": "https://viz.greynoise.io/riot/8.8.8.8",
  "last_seen": "2022-03-30",
  "message": "Success"
}

Sources + Examples

We have 59 million IPs currently in our RIOT dataset. (As of Oct. 2022)

Examples

Google Public DNS - https://viz.greynoise.io/ip/8.8.8.8

Github - https://viz.greynoise.io/ip/18.213.123.130

Pingdom - https://viz.greynoise.io/ip/64.237.55.3

Zscaler - https://viz.greynoise.io/ip/185.46.212.0

Datadog - https://viz.greynoise.io/ip/3.233.144.0

Cloudflare - https://viz.greynoise.io/ip/103.21.244.0

Atlassian - https://viz.greynoise.io/ip/18.136.214.96