DETECTION & RESPONSE

Speed Up
Incident Investigations

Accelerate detection and response times with GreyNoise threat context

Get a Demo

Overview

GreyNoise accelerates investigations by adding context on IPs and CVEs seen in mass scanning and exploitation campaigns. This enrichment speeds triage, reduces manual work, and helps SOC teams more effectively investigate timelines and the scope of incidents.

How GreyNoise Speeds Up Investigations

Enriched Threat Context

GreyNoise shows whether an IP is scanning broadly or targeting specific systems, helping analysts gauge threat levels.

Identify Exploitation Attempts

CVE tags reveal which vulnerabilities are being exploited and which assets are likely targeted.

Map Attack Infrastructure

GreyNoise links IPs, ASNs, and behaviors so analysts can pivot and see the broader campaign.

Strengthen Containment Decisions

Intelligence on attacker infrastructure helps teams decide when to block, monitor, or expand containment.

Speed Up Timeline Construction

Data on first seen, last seen, and behavior give provides evidence for accurate incident timelines.

Better Documentation and Reporting

Enriched incident reports clarify what happened and why it matters.

How it Works

Explore Available Fields

Filter by category & search available IP fields and their uses with GreyNoise.
Categories
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
NAME
Description & Use
Slug
Short identifier for the tag. Useful in queries and API lookups.
Source Bytes
Number of bytes sent from source IP. Useful for traffic analysis.
Source Country
Country where the IP is registered. Provides attacker infrastructure location context.
Source Country Code
ISO country code for the IP’s registration country.
Source Country Count
Count of IPs originating from each country. Useful for geo-distribution of attacks.
Source Latitude
Latitude of IP’s registered location. Useful for geo-mapping.
Source Longitude
Longitude of IP’s registered location. Useful for geo-mapping.
Spoofable
Shows whether the IP completed a valid TCP handshake. If false, traffic may be spoofed or fake.
Spoofable Count
Count of spoofable vs. non-spoofable IPs. Highlights volume of potentially fake traffic.
Tags Count
Count of IPs associated with specific tags. Helps identify common behaviors at scale.
Timeline
Key timeline details about when the CVE was published, updated, and added to CISA (https://www.cisa.gov/known-exploited-vulnerabilities-catalog). Useful for understanding how long the issue has been known.
Timeline CISA KEV Date Added
Date the vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Vulnerabilities in KEV should be prioritized for remediation per federal guidance.
Timeline CVE Last Updated Date
The last date the CVE entry was updated in the database. Useful for tracking changes in severity, affected products, or exploit status.
Timeline CVE Published Date
The date the CVE was first published. Helps determine how long attackers have potentially been aware of the vulnerability.
Timeline First Known Published Date
Date when the first exploit associated with the CVE was published.
Tor
Identifies if the IP is a Tor exit node. Tor traffic often indicates obfuscation or anonymization.
ASN
Autonomous System Number routing the IP. Helps group malicious infrastructure.
ASN Count
Count of IPs grouped by ASN. Supports ASN-level threat analysis.
Actor
Known or attributed owner/operator of the IP (e.g., research org, ISP, hosting provider). Useful for attribution.
Actor Count
Aggregated count of IPs per actor. Supports statistical analysis of actors.
Bot
Flags whether the IP is part of known botnet activity. Helps detect automated scanning or malware distribution.
CVEs
CVEs tied to the tag behavior. Critical for identifying exploitation of known vulnerabilities.
Category
High-level network type (e.g., hosting, ISP, enterprise).
Category Count
Aggregated count of IPs per category (hosting, ISP, etc.). Highlights infrastructure trends.
City
Registered city of the IP. Useful for geolocation context and pivoting.
Classification
GreyNoise’s judgment of the IP’s intent: benign, malicious, suspicious, or unknown. Most useful filter for triage.
Classification Count
Aggregated count of IPs per classification. Useful for threat landscape analysis.
Created At
Date the tag was first added. Indicates when this behavior was first observed.
Description
Human-readable explanation of what the tag represents. Adds analyst context.
Destination ASNs
List of ASNs targeted by the IP. Helps show which networks are being scanned.
Destination Cities
List of cities where scanning traffic was observed. Useful for geo-targeting analysis.
Destination Countries
Countries where GreyNoise sensors saw this IP scanning. Indicates target geography.

Cut the Noise. Close the Case.

Get a demo
Search for free
Products
Partners
Resources
Company
© 2025 GreyNoise, Inc. All rights reserved.
YouTube logoJoin us on Slack!Discord logoTikTok logo