Understanding GreyNoise Enrichments

Understanding GreyNoise Enrichments

GreyNoise provides a set of enrichments that are appended to our Noise data (internet scanner IPs) to help provide additional context and actionable intel through partnerships with third-party providers. This document overviews each of those enrichments.

GeoIP

1002

GeoIP enrichment is provided on every IP, including ASN and Region information

What is it?

An enrichment that provides additional context for an IP address on where the IP address is believed to be located based on the registered information available.

Who provides it?

This data is provided via partnership with IPINFO.

What do you do with it?

GeoIP information can help identify important facets, including the registered ASN and Geo information of that ASN, which can be used as part of your investigation or research.

TOR

1002

A TOR flag is added to any IP known to be TOR Exit Nodes

What is it?

An enrichment that provides additional context for an IP address if it is a registered Tor Exit Node.

Who provides it?

This data is provided by https://check.torproject.org/

What do you do with it?

Tor Exit nodes are generally used by adversaries to hide their identities. This enrichment helps to identify that the traffic being seen can not be directly related back to this IP as an adversary, but rather as a service being used by that adversary to mask their identity.

VPN

1002

A VPN flag is added to any IP known to be part of a VPN service. The VPN Service Name is also included.

What is it?

An enrichment that provides additional context for an IP address if it is a part of a VPN provider service.

Who provides it?

This data is provided via partnership with Spur.

What do you do with it?

VPN services are generally used by adversaries to hide their identities. This enrichment helps to identify that the traffic being seen can not be directly related back to this IP as an adversary, but rather as a service being used by that adversary to mask their identity.

BOT

1002

A BOT flag is added to any IP known to be associated with common bot activity

What is it?

An enrichment that provides additional context for an IP address if is known to be associated with common bot activity.

Who provides it?

This data is provided via partnership with Kasada.

What do you do with it?

This information can be used to identify that this IP is part of a bot network of some sort being used by an adversary, but does not help identify the exact adversary unless the botnet ownership can be identified. Additional information on these botnets may be available from our Partner, Kasada.

Issue with our data?

If you think you've identified an issue with the enrichment data on one of our IPs, please reach out to [email protected] so that we can look into it immediately.