GreyNoise
Guides

Understanding RIOT

Suggest Edits

What is RIOT?

RIOT is a dataset that GreyNoise offers that helps provide context to users around IP addresses that are tied to common business services. RIOT helps to add identification information to an IP address and enables practitioners to make decisions about IPs based on which business service infrastructure they are using. These decisions can be around filtering out known IPs from logs, identifying outbound connections to unidentified services, validating IP addresses before they are added to firewall blocklists, and general context information to help analysts make decisions faster.

How did we create RIOT?

RIOT tracks the IP space of common business services such as CDNs, update servers, public DNS and NTP services, SaaS APIs, and cloud security products. Our engineering and research teams have implemented several tactics and methods to acquire, track, curate, and age off RIOT data over time. The data is refreshed regularly to ensure that the list contains the most up-to-date information for each one of the providers included in the dataset.

What RIOT is not?

RIOT is not a safe list or allow list and should not be used as a network Access Control List. It does not provide insight into activities related to specific IP addresses or their classification. RIOT is not an IP enrichment service that aims to provide geolocation or organizational ownership.

RIOT Trust Levels

RIOT data is separated into two trust levels: Level 1 and Level 2. Trust Levels within the GreyNoise RIOT dataset help to provide analysts with context about how much they can trust an IP address, knowing which business service it belongs to. You can read more details here.

RIOT Responses in API

Enterprise RIOT API

{
  "ip": "8.8.8.8",
  "riot": true,
  "category": "public_dns",
  "name": "Google Public DNS",
  "description": "Google's global domain name system (DNS) resolution service.",
  "explanation": "Public DNS services are used as alternatives to ISP's name servers. You may see devices on your network communicating with Google Public DNS over port 53/TCP or 53/UDP to resolve DNS lookups.",
  "last_updated": "2024-12-12T13:11:04Z",
  "reference": "https://developers.google.com/speed/public-dns/docs/isp#alternative",
  "trust_level": "1"
}

Community API

{
    "ip": "8.8.8.8",
    "noise": true,
    "riot": true,
    "classification": "unknown",
    "link": "https://viz.greynoise.io/ip/8.8.8.8",
    "last_seen": "2024-12-08",
    "message": "Success"
}%

Sources + Examples

We have 59 million IPs currently in our RIOT dataset. (As of Nov. 2024)

Examples

Google Public DNS - https://viz.greynoise.io/ip/8.8.8.8

Github - https://viz.greynoise.io/ip/18.213.123.130

Pingdom - https://viz.greynoise.io/ip/64.237.55.3

Zscaler - https://viz.greynoise.io/ip/185.46.212.0

Datadog - https://viz.greynoise.io/ip/3.233.144.0

Cloudflare - https://viz.greynoise.io/ip/103.21.244.0

Atlassian - https://viz.greynoise.io/ip/18.136.214.96

📘

Can an IP address exist in both the Internet Scanner (Noise) and Common Business Service (RIOT) datasets?

Yes, we do, in some cases observe internet scanning from infrastructure that is tied to a common business service, such as internet scanning come out of infrastructure that is operated by Google or Amazon. In these situations, since the Internet Scanner (Noise) dataset provides insights into observed activity, it should be applied in the analysis and evaluation of an IP first, then the Common Business Service (RIOT) dataset can be used as additional context.

Updated 9 days ago