Understanding GreyNoise Datasets

GreyNoise produces two datasets of IP information that can be used for threat enrichment. The following article provides a basic overview of each dataset and its best uses.

Internet Scanner Intelligence (formerly Noise) Dataset

What is it?

GreyNoise’s internet-wide sensor network passively collects packets from hundreds of thousands of IPs that are scanned across the internet every day. Companies like Shodan and Censys, as well as researchers and universities, scan in good faith to help uncover vulnerabilities for network defense. Others scan with potentially malicious intent. GreyNoise analyzes and enriches this data to identify behavior, methods, and intent, giving analysts the context to take action.

When is it best to query it?

The Internet Scanner Intelligence dataset is best used to enrich log events on your environment's perimeter and public, internet-facing devices. This data can help determine whether this activity is happening across the internet or is targeted specifically at your organization.

Business Services Intelligence (formerly RIOT) Dataset

What is it?

Business Services Intelligence provides context for communications between your users and common business applications (e.g., Microsoft 365, Google Workspace, and Slack), as well as services such as CDNs and public DNS servers. These applications communicate through unpublished or dynamic IPs, making it difficult for security teams to track. Without context, this harmless behavior distracts security teams from investigating true threats.

When is it best to query it?

The Business Services Intelligence data set is best used to filter outbound traffic leaving your network. It can be used to determine which traffic is going to known services, so you can focus on connections to unknown IPs.

Business Services Intelligence can also be very helpful as a pre-filter for IPs submitted to blocklists, ensuring you do not accidentally block a critical business service for your organization.