IP Timeline

Most Threat Intelligence feeds just give you “point in time” behavior. But IPs aren’t just ‘malicious’ or ‘benign’ - they can change behavior over time. When investigating an IP address involving a suspicious event from a week ago, you might need to ask: was this IP observed acting suspiciously at this point in time?

GreyNoise’s IP timeline capability helps you investigate, hunt, and perform incident response confidently, giving you up to 90 days of history for IPs we observe scanning and exploiting the internet.

Identify patterns in IP scanning behavior over time.

Was this IP acting maliciously a week ago when I saw the timestamp in my logs?
Has this IP changed its behavior recently (started scanning or exploiting) because it was compromised?

Distinguish automation from manual scan and attack behavior.

Does the pattern of behavior indicate this is being done manually by a threat actor, or is this happening at regular intervals that hint at automation in play?
A screenshot of the IP timeline feature in the GreyNoise visualizer.

With IP Timeline, you can:

Track changes in intent

Easily see when classification changed from unknown, malicious, and benign.

Track changes in behavior

Track when an IP moved from reconnaissance activity to exploitation activity, including which services they were targeting and what specific web activity they were conducting.

See historical activity records across multiple data points

We provide history of tags, reverse DNS, ASN, ports scanned, web activity we see, and more.

Cyber Threat Intelligence Analysts

Identify historical threat actor infrastructure and patterns.

See when a particular IP was first observed as part of a botnet or other scan-and-exploit infrastructure. Understand changes in tools, techniques and procedures used by actors.

Threat Hunters

Make accurate investigation decisions.

Compare our IP timeline with events in your logs and alerts to validate hypotheses like: “This IP doesn’t seem to be acting suspicious right now, but it was attempting to scan and exploit us two weeks ago”

Ready to investigate more confidently with IP Timeline?


Documentation guides

Featured content