GreyNoise tags identify actors, tools, and CVEs, and more in our data. IPs can be labeled with one or more tag, and each tag can have a variety of IPs associated with it. Tags are not just limited to CVE based activity. They include behaviors, attribution, and unique traffic characteristics.
Actor tags describe the actor behind the activity, including commercial/enterprise entities, researchers, and universities.
Search Engine tags specifically identify crawlers such as Yandex, Bingbot, Baidu Spider. Search Engines are classified as "Benign" or "Unknown."
Tool tags can be anything from open-source scanning tools to programming language libraries, such as NMap, Nuclei, Metasploit, Paramiko, and Go HTTP. Tool category tags can be classified as "Unknown."
Worm tags describe computer Worms, including Mirai, Eternalblue, and SSH worm. These will always be classified as "Malicious."
Activity tags include crawlers, vulnerability checks & exploitation, authentication attempts, and other behaviors observed from interactions with our sensors.
See the intent of the activity, associated CVEs, and Contextual information to help you understand the nature of the classification.
View up to 30 days of history of observed IP activity matching the tag, and identify interesting changes.
Pivot to see all IPs that have been tagged, or configure a dynamic blocklists to block activity hitting your perimeter.
The GreyNoise Trends feature takes the lens that GreyNoise uses to view internet-wide scanning and focuses on the exploit, activity, or tool associated with a GreyNoise Tag.GreyNoise Tags are essentially a signature-based detection method. Tags cover five primary categories: Activity, Tool, Actor, Search Engine, or Worm.
GreyNoise Trends includes the ability to access a dynamic list of IPs that can be used in the Dynamic Block List feature in many of today's firewall products.The blocklist URL is tied to a specific GreyNoise tag, providing a dynamically updated list of IPs that have been observed scanning for the specific tag activity in the last 24 hours.
RIOT is a GreyNoise data set that informs users about IPs used by common business services that are almost certainly not attacking you.
Traditional threat intelligence feeds make an effort to enumerate the locations where the bad guys may be - RIOT is the exact opposite.
By The GreyNoise Team
GreyNoise tags are described in the documentation as “a signature-based detection method used to capture patterns and create subsets in our data.” The GreyNoise Research team is responsible for creating tags for vulnerabilities and activities seen in the wild by GreyNoise sensors.
By The GreyNoise Team
Read our blog post that discusses the limitations of blocking mass exploitation attacks as a viable security strategy and suggests alternative solutions.
By The GreyNoise Team
We introduce the latest version of GreyNoise Investigate, a tool that helps organizations defend against emerging cyber threats by providing actionable intelligence on IP addresses associated with threat activity.
Explore Our Data