DETECTION & RESPONSE

Speed Up
Incident Investigations

Accelerate detection and response times with GreyNoise threat context

Get a Demo

Overview

GreyNoise accelerates investigations by adding context on IPs and CVEs seen in mass scanning and exploitation campaigns. This enrichment speeds triage, reduces manual work, and helps SOC teams more effectively investigate timelines and the scope of incidents.

How GreyNoise Speeds Up Investigations

Enriched Threat Context

GreyNoise shows whether an IP is scanning broadly or targeting specific systems, helping analysts gauge threat levels.

Identify Exploitation Attempts

CVE tags reveal which vulnerabilities are being exploited and which assets are likely targeted.

Map Attack Infrastructure

GreyNoise links IPs, ASNs, and behaviors so analysts can pivot and see the broader campaign.

Strengthen Containment Decisions

Intelligence on attacker infrastructure helps teams decide when to block, monitor, or expand containment.

Speed Up Timeline Construction

Data on first seen, last seen, and behavior give provides evidence for accurate incident timelines.

Better Documentation and Reporting

Enriched incident reports clarify what happened and why it matters.

How it Works

Explore Available Fields

Filter by category & search available IP fields and their uses with GreyNoise.
Categories
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
NAME
Description & Use
Last Seen
Last date the IP was observed by GreyNoise sensors. Indicates recency of activity.
Last Seen Timestamp
Exact date and time the IP was last observed. Enables timeline reconstruction in investigations.
Mobile
Indicates if the IP belongs to a mobile/cellular network.
Name
Display name of the tag. Analyst-facing label for quick recognition.
Organization
Organization responsible for the IP. Adds enrichment for attribution.
Organization Count
Count of IPs linked to each organization. Useful for assessing exposure by provider.
Port
Port observed in scanning activity. Useful for identifying targeted services.
Protocol
Protocol (e.g., TCP/UDP) used in scanning activity. Adds layer-4 context.
RDNS
Reverse DNS value for the IP. May reveal hostnames tied to services or campaigns.
RDNS Parent
Parent domain of the reverse DNS. Useful for clustering infrastructure.
Recommended Block
Indicates whether IPs with this tag should be blocked. Supports automated policy decisions.
References
References (e.g., CVE pages, docs) supporting the tag. Provides analyst enrichment sources.
Region
State/province where the IP is registered. Adds sub-country geolocation context.
Sensor Count
Number of distinct sensors that saw the IP. Higher values indicates wider scanning footprint.
Sensor Hits
Total number of events GreyNoise sensors recorded from this IP. Indicates activity volume.
Single Destination
True if the IP only scanned one country. Suggests targeted reconnaissance.
Destination Countries Count
Count of IPs targeting specific countries. Supports geo-threat monitoring.
Destination Country Codes
ISO codes for countries targeted by scanning. Supports correlation with geo-based IOCs.
Details
Basic CVE details, including CVSS score (Common Vulnerability Scoring System), associated products & vendors, and NIST CVE recognition status. Provides context on the vulnerability itself.
Details CVE CVSS Score
CVSS score assigned to the CVE. Commonly used in risk scoring but should be weighed alongside exploitation activity.
Details Product
The product affected by the vulnerability (e.g., Apache HTTP Server). Used to match against an organization’s asset inventory for prioritization.
Details Published to NIST NVD
Indicates if the vulnerability is published in the NIST National Vulnerability Database. Confirms official recognition and ensures compatibility with standard risk feeds.
Details Vendor
The vendor or developer responsible for the affected product. Helps map vulnerabilities to vendor patch advisories and SLAs.
Details Vulnerability Description
Summary of what the vulnerability is and how it works. Helps analysts understand potential impact and determine exploitability in their environment.
Details Vulnerability Name
Human-readable name of the vulnerability. Practitioners use this for quick recognition when scanning advisories.
Domain
Domain tied to the ASN owner. Provides higher-level ownership context.
Exploitation Activity
Observed IPs scanning or exploiting the vulnerability today, in the last 10 days, and the last 30 days.
Exploitation Activity Benign IP Count (10d)
Total number of benign IPs GreyNoise observed scanning or exploiting this vulnerability in the last 10 days.
Exploitation Activity Benign IP Count (1d)
Total number of benign IPs GreyNoise observed scanning or exploiting this vulnerability today.
Exploitation Activity Benign IP Count (30d)
Total number of benign IPs GreyNoise observed scanning or exploiting this vulnerability in the last 30 days.
Exploitation Activity Seen
Whether GreyNoise has observed activity related to this CVE.
Exploitation Activity Threat IP Count (10d)
Total number of threat IPs GreyNoise observed scanning or exploiting this vulnerability in the last 10 days.

Cut the Noise. Close the Case.

Get a demo
Search for free
Products
Partners
Resources
Company
© 2025 GreyNoise, Inc. All rights reserved.
YouTube logoJoin us on Slack!Discord logoTikTok logo