Threat Hunting

Needle in the haystack. Found

Quickly identify anomalous behavior and catch targeted threats

Get a Demo

Overview

Effective threat hunting isn't just about finding more data, it’s about finding the right data. GreyNoise empowers your hunt team to adopt the PEAK Framework by correlating your internal traffic against our real-time map of internet-wide mass scanning.

By using GreyNoise to filter out opportunistic probes, benign scanners, and botnet noise, you reveal the statistically significant anomalies that represent targeted attacks. Stop chasing false positives and focus on the signals that actually threaten your perimeter.

How GreyNoise
Helps You Hunt Smarter

Focus effort on highest risks

Eliminate time-consuming research of benign and opportunistic scanning, allowing hunters to focus on infrastructure actually used by threat actors.

Supports threat research and hypothesis development

Hunters can use GreyNoise to conduct threat research, validate assumptions, and explore attack vectors in order to develop hypotheses.

Correlate isolated incidents

GreyNoise helps threat hunters link isolated incidents to larger campaigns by mapping attacker infrastructure and patterns, connecting logged IPs to those exploiting relevant vulnerabilities.

How GreyNoise Maps to the PEAK Hunting Framework

Explore Available Fields

Filter by category & search available IP fields and their uses with GreyNoise.
Categories
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
NAME
Description & Use
HTTP Method
HTTP methods used (e.g., GET, POST). Provides context on attacker request.
HTTP Path
Web paths targeted during scanning (e.g., /robots.txt, /admin). Reveals reconnaissance goals.
HTTP Request Authorization
Authorization headers observed in HTTP requests. May reveal brute-force attempts.
HTTP Request Cookies
Cookies included in HTTP requests. Adds context on reconnaissance or exploit attempts.
HTTP Request Headers
Headers used in HTTP requests. Useful for tool fingerprinting.
HTTP Request Origin
Origin IPs or addresses set in HTTP headers. May indicate spoofing.
HTTP Useragent
User-Agent strings observed. Useful for identifying attacker tools or crawlers.
Hassh Fingerprint
Fingerprint hash of SSH client behavior. Helps identify SSH attack tools.
Hassh Port
Port associated with observed SSH behavior. Adds protocol context.
ID
Unique tag identifier.
ID
Unique identifier for the record. Used to track and reference the vulnerability consistently across systems and reports.
IP
The observed IP address itself. Primary entity to investigate or correlate across alerts.
Intention
Tag’s intent classification: benign, malicious, suspicious, or unknown. Adds risk context.
JA3 Fingerprint
JA3 TLS fingerprint of client behavior. Useful for identifying attack tools, actors, botnets, and campaigns.
JA3 Port
Port associated with observed JA3 TLS activity.
Last Seen
Last date the IP was observed by GreyNoise sensors. Indicates recency of activity.
HTTP Method
HTTP methods used (e.g., GET, POST). Provides context on attacker request.
HTTP Path
Web paths targeted during scanning (e.g., /robots.txt, /admin). Reveals reconnaissance goals.
HTTP Request Authorization
Authorization headers observed in HTTP requests. May reveal brute-force attempts.
HTTP Request Cookies
Cookies included in HTTP requests. Adds context on reconnaissance or exploit attempts.
HTTP Request Headers
Headers used in HTTP requests. Useful for tool fingerprinting.
HTTP Request Origin
Origin IPs or addresses set in HTTP headers. May indicate spoofing.
HTTP Useragent
User-Agent strings observed. Useful for identifying attacker tools or crawlers.
Hassh Fingerprint
Fingerprint hash of SSH client behavior. Helps identify SSH attack tools.
Hassh Port
Port associated with observed SSH behavior. Adds protocol context.
ID
Unique tag identifier.
ID
Unique identifier for the record. Used to track and reference the vulnerability consistently across systems and reports.
IP
The observed IP address itself. Primary entity to investigate or correlate across alerts.
Intention
Tag’s intent classification: benign, malicious, suspicious, or unknown. Adds risk context.
JA3 Fingerprint
JA3 TLS fingerprint of client behavior. Useful for identifying attack tools, actors, botnets, and campaigns.
JA3 Port
Port associated with observed JA3 TLS activity.
Last Seen
Last date the IP was observed by GreyNoise sensors. Indicates recency of activity.

Find your needle.

Get a demo
Search for free
Products
Partners
Resources
Company
© 2025 GreyNoise, Inc. All rights reserved.
YouTube logoJoin us on Slack!Discord logoTikTok logo