Alert REDUCTION

Not all alerts are created equal

Filter out noisy, low priority and false-positive alerts from mass internet scanners

Get a Demo

Overview

The internet is noisy. Thousands of mass scanners scan the internet every minute, some for legitimate reasons, others to build victim pipelines. Advanced threat actors intentionally create noise to obfuscate more targeted attacks. This creates an unprecedented flood of alerts for your security team.

GreyNoise reduces alert fatigue by classifying IPs as benign, malicious, or suspicious. This instantly separates noise from real threats. Benign traffic can be deprioritized, malicious and suspicious activity escalated for investigation.

How GreyNoise Helps
Reduce Noise in Your SOC

Reduce Alert Fatigue

By classifying benign sources, GreyNoise eliminates noise from the alert triage queue, preventing wasted analyst time.

Escalate Confirmed Threats

Alerts tied to IPs classified as malicious—such as active exploitation, malware distribution, or botnet activity—can be automatically prioritized.

Smarter Automation

SOC playbooks can use GreyNoise classifications and tags to automate alert routing.

Block Unsolicited Scan Traffic

Use GreyNoise query-based, dynamic IP blocklists to block unsolicited scanning and reduce SOC noise.

How it Works

Explore Available Fields

Filter by category & search available IP fields and their uses with GreyNoise.
Categories
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
NAME
Description & Use
ID
Unique tag identifier.
IP
The observed IP address itself. Primary entity to investigate or correlate across alerts.
Intention
Tag’s intent classification: benign, malicious, suspicious, or unknown. Adds risk context.
Last Seen
Last date the IP was observed by GreyNoise sensors. Indicates recency of activity.
Last Seen Timestamp
Exact date and time the IP was last observed. Enables timeline reconstruction in investigations.
Mobile
Indicates if the IP belongs to a mobile/cellular network.
Name
Display name of the tag. Analyst-facing label for quick recognition.
Organization
Organization responsible for the IP. Adds enrichment for attribution.
Organization Count
Count of IPs linked to each organization. Useful for assessing exposure by provider.
RDNS
Reverse DNS value for the IP. May reveal hostnames tied to services or campaigns.
RDNS Parent
Parent domain of the reverse DNS. Useful for clustering infrastructure.
Recommended Block
Indicates whether IPs with this tag should be blocked. Supports automated policy decisions.
References
References (e.g., CVE pages, docs) supporting the tag. Provides analyst enrichment sources.
Region
State/province where the IP is registered. Adds sub-country geolocation context.
Single Destination
True if the IP only scanned one country. Suggests targeted reconnaissance.
Slug
Short identifier for the tag. Useful in queries and API lookups.
ID
Unique tag identifier.
IP
The observed IP address itself. Primary entity to investigate or correlate across alerts.
Intention
Tag’s intent classification: benign, malicious, suspicious, or unknown. Adds risk context.
Last Seen
Last date the IP was observed by GreyNoise sensors. Indicates recency of activity.
Last Seen Timestamp
Exact date and time the IP was last observed. Enables timeline reconstruction in investigations.
Mobile
Indicates if the IP belongs to a mobile/cellular network.
Name
Display name of the tag. Analyst-facing label for quick recognition.
Organization
Organization responsible for the IP. Adds enrichment for attribution.
Organization Count
Count of IPs linked to each organization. Useful for assessing exposure by provider.
RDNS
Reverse DNS value for the IP. May reveal hostnames tied to services or campaigns.
RDNS Parent
Parent domain of the reverse DNS. Useful for clustering infrastructure.
Recommended Block
Indicates whether IPs with this tag should be blocked. Supports automated policy decisions.
References
References (e.g., CVE pages, docs) supporting the tag. Provides analyst enrichment sources.
Region
State/province where the IP is registered. Adds sub-country geolocation context.
Single Destination
True if the IP only scanned one country. Suggests targeted reconnaissance.
Slug
Short identifier for the tag. Useful in queries and API lookups.

Reclaim Your SOC

Get a demo
Search for free
Products
Partners
Resources
Company
© 2025 GreyNoise, Inc. All rights reserved.
YouTube logoJoin us on Slack!Discord logoTikTok logo