Most Threat Intelligence feeds just give you “point in time” behavior. But IPs aren’t just ‘malicious’ or ‘benign’ - they can change behavior over time. When investigating an IP address involving a suspicious event from a week ago, you might need to ask: was this IP observed acting suspiciously at this point in time?
GreyNoise’s IP timeline capability helps you investigate, hunt, and perform incident response confidently, giving you up to 90 days of history for IPs we observe scanning and exploiting the internet.
See when a particular IP was first observed as part of a botnet or other scan-and-exploit infrastructure. Understand changes in tools, techniques and procedures used by actors.
Compare our IP timeline with events in your logs and alerts to validate hypotheses like: “This IP doesn’t seem to be acting suspicious right now, but it was attempting to scan and exploit us two weeks ago”
What is IP Timeline? Here we explain how to use the GreyNoise IP Timeline feature to visualize the historical activity of an IP address, including associated scan and attack traffic, and provides examples of different use cases.
Our technical documentation for the GreyNoise API endpoint that returns a summary of daily activity for a given IP address, including the number of scanners and distinct scan types observed.
By Brianna Cluck
Alongside the common fields of a GreyNoise IP address page’s located in the Visualizer (which include relevant DNS information, destination sites, and other data), GreyNoise now has a feature called the IP Timeline.
The IP Timeline provides context to 90 days of data collected on an IP displayed in timechart format. Users can correlate the behavior of an IP they have seen in their data, learn what schedule an IP operates on, or gain a greater understanding of ownership and behavioral changes.
The GreyNoise University - Product Overview training series covering the IP Timeline view, what it represents, and how you can utilize it.