GreyNoise Intelligence · Schema
InternetScannerIntelligence
SecurityThreat IntelligenceCybersecurityIP ReputationVulnerability ManagementNetwork TelemetrySOC AutomationPublic APIs
Properties
| Name | Type | Description |
|---|---|---|
| ip | string | IP address that the information is about. |
| seen | boolean | Whether or not the IP address has been observed by the GreyNoise sensor network. |
| classification | string | The classification of the IP address, either "benign", "malicious", or "unknown", based on the activity observed by GreyNoise. |
| first_seen | string | The earliest date GreyNoise observed any activity from this IP. |
| last_seen | string | The most recent date GreyNoise observed any activity from this IP. |
| last_seen_timestamp | string | The timestamp of the last observed activity from this IP. |
| found | boolean | Indicates if the IP was observed scanning the GreyNoise sensor network. Also referred to as 'noise'. |
| actor | string | The overt actor this IP is associated with. |
| spoofable | boolean | This IP address has been opportunistically scanning the Internet, however has failed to complete a full TCP connection. Any reported activity could be spoofed. |
| cves | array | A list of CVEs associate with this IP. |
| tor | boolean | Whether or not the device is a known Tor exit node. |
| vpn | boolean | This IP is associated with a VPN service. Activity, malicious or otherwise, should not be attributed to the VPN service provider. |
| vpn_service | string | Name of associated VPN Service. |
| metadata | object | |
| tags | object | |
| raw_data | object | Raw data observed directly by GreyNoise. |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://api-evangelist.github.io/greynoise/json-schema/greynoise-internet-scanner-intelligence-schema.json",
"title": "InternetScannerIntelligence",
"properties": {
"ip": {
"type": "string",
"description": "IP address that the information is about.",
"example": "71.6.135.131"
},
"seen": {
"type": "boolean",
"description": "Whether or not the IP address has been observed by the GreyNoise sensor network.",
"example": true
},
"classification": {
"type": "string",
"description": "The classification of the IP address, either \"benign\", \"malicious\", or \"unknown\", based on the activity observed by GreyNoise.",
"enum": [
"benign",
"malicious",
"unknown"
],
"example": "benign"
},
"first_seen": {
"type": "string",
"description": "The earliest date GreyNoise observed any activity from this IP.",
"format": "date",
"example": "2018-01-28"
},
"last_seen": {
"type": "string",
"description": "The most recent date GreyNoise observed any activity from this IP.",
"format": "date",
"example": "2018-02-28"
},
"last_seen_timestamp": {
"type": "string",
"description": "The timestamp of the last observed activity from this IP.",
"format": "date-time",
"example": "2025-01-15T12:30:45Z"
},
"found": {
"type": "boolean",
"description": "Indicates if the IP was observed scanning the GreyNoise sensor network. Also referred to as 'noise'.",
"example": true
},
"actor": {
"type": "string",
"description": "The overt actor this IP is associated with.",
"example": "Shodan.io"
},
"spoofable": {
"type": "boolean",
"description": "This IP address has been opportunistically scanning the Internet, however has failed to complete a full TCP connection. Any reported activity could be spoofed.",
"example": true
},
"cves": {
"type": "array",
"items": {
"type": "string"
},
"description": "A list of CVEs associate with this IP.",
"example": [
"CVE-2020-1234",
"CVE-2021-2345"
]
},
"tor": {
"type": "boolean",
"description": "Whether or not the device is a known Tor exit node.",
"example": false
},
"vpn": {
"type": "boolean",
"description": "This IP is associated with a VPN service. Activity, malicious or otherwise, should not be attributed to the VPN service provider.",
"example": true
},
"vpn_service": {
"type": "string",
"description": "Name of associated VPN Service.",
"example": "IPVANISH_VPN"
},
"metadata": {
"$ref": "./greynoise-metadata-v3-schema.json#"
},
"tags": {
"$ref": "./greynoise-ip-response-v3-tags-schema.json#"
},
"raw_data": {
"type": "object",
"description": "Raw data observed directly by GreyNoise.",
"properties": {
"scan": {
"type": "array",
"items": {
"type": "object",
"properties": {
"port": {
"type": "integer",
"description": "Port number",
"example": 80
},
"protocol": {
"type": "string",
"description": "Protocol",
"example": "TCP"
}
}
}
},
"ja3": {
"type": "array",
"items": {
"type": "object",
"properties": {
"fingerprint": {
"type": "string",
"example": "c3a6cf0bf2e690ac8e1ecf6081f17a50",
"description": "JA3 hash fingerprint string"
},
"port": {
"type": "integer",
"example": 443,
"description": "TCP port connection that the SSL/TLS communication occurred over"
}
}
}
},
"hassh": {
"type": "array",
"items": {
"type": "object",
"properties": {
"fingerprint": {
"type": "string",
"example": "51cba57125523ce4b9db67714a90bf6e",
"description": "HASSH hash fingerprint string"
},
"port": {
"type": "integer",
"example": 2222,
"description": "TCP port connection where the HASSH hash was identified\n"
}
}
}
},
"http": {
"type": "object",
"properties": {
"md5": {
"type": "string",
"description": "An MD5 hash of the body content. This compact,\nunique representation of the data allows for quick\ncomparisons and deduplication of payloads without\nstoring the raw content.\n",
"example": "9764955b67107eeb9edfae76f429e783"
},
"cookie_keys": {
"type": "array",
"description": "The keys or names of cookies exchanged in the communication.\nThese can reveal session identifiers, tracking mechanisms,\nor other metadata used in web interactions,\nproviding clues about application behavior or vulnerabilities.\n",
"example": [
"expremotekey"
],
"items": {
"type": "string"
}
},
"request_authorization": {
"type": "array",
"description": "The contents of the Authorization header in a request,\nwhich can include credentials, tokens, or other authentication\ninformation.\n",
"example": [
"Bearer exampletoken",
"Basic username:password"
],
"items": {
"type": "string"
}
},
"request_cookies": {
"type": "array",
"description": "Key-value pairs stored in cookies sent with an HTTP request.\nThese cookies often contain session identifiers, user preferences,\nor tracking data, which can be analyzed to detect unauthorized\naccess or manipulation.\n",
"example": [
"session_id=1234567890"
],
"items": {
"type": "string"
}
},
"request_header": {
"type": "array",
"description": "Request Headers are the keys (names) of HTTP headers\nthat a client sends to a server.\n",
"example": [
"Content-Type: application/json",
"Accept: application/json"
],
"items": {
"type": "string"
}
},
"method": {
"type": "array",
"description": "The HTTP method used in the request, such as GET, POST, PUT, or DELETE.\nAnalyzing methods can reveal the intent of the request,\nsuch as retrieving or modifying resources,\nand identify unexpected or suspicious activity.\n",
"example": [
"GET",
"POST",
"PUT",
"DELETE"
],
"items": {
"type": "string"
}
},
"request_origin": {
"type": "array",
"description": "Indicates the origin of the request,\ntypically used in cross-origin resource sharing (CORS)\nto specify where the request originated.\nThis helps identify unauthorized or potentially\nmalicious cross-origin requests.\n",
"example": [
"111.111.1.1"
],
"items": {
"type": "string"
}
},
"host": {
"type": "array",
"description": "The host of the request, which can include the domain name\nand port number. These values can provide insight into the services or\nendpoints the actor may have been attempting to interact with.\n",
"example": [
"example.com",
"example.com:8080"
],
"items": {
"type": "string"
}
},
"uri": {
"type": "array",
"items": {
"type": "string",
"description": "The URI of the request, which can include the path and query parameters.\nThis can provide insight into the specific resource or data being requested.\n"
},
"example": [
"string"
]
},
"path": {
"type": "array",
"items": {
"type": "string",
"description": "Observed scanning activity traversed this web path.",
"example": "/robots.txt"
},
"example": [
"/HNAP1/"
]
},
"useragent": {
"type": "array",
"items": {
"type": "string",
"description": "Observed scanning activity used these user agents.",
"example": "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\n"
},
"example": [
"Mozilla/5.0 (compatible; GoogleBot/2.1; +http://www.google.com/bot.html)"
]
},
"ja4h": {
"type": "array",
"items": {
"type": "string",
"description": "List of JA4H HTTP client fingerprints observed in network traffic from the IP.\nJA4H captures characteristics of HTTP client behavior including method,\nheaders, and cookie fields, useful for identifying and tracking HTTP clients.\n"
},
"example": [
"ge11cn060000_4e59edc1297a_4da5efaf0cbd"
]
}
}
},
"tls": {
"type": "object",
"properties": {
"cipher": {
"type": "string",
"description": "The encryption algorithm or cipher suite used during the\nsecure communication. Identifying the cipher helps assess\nthe security of the connection, particularly in TLS/SSL traffic.\n",
"example": "TLS_AES_128_GCM_SHA256"
},
"ja4": {
"type": "array",
"items": {
"type": "string",
"description": "List of JA4 TLS fingerprints observed in network traffic from the IP.\nJA4 is a modern fingerprinting method that captures distinctive\ncharacteristics of TLS client behavior,\nuseful for identifying and clustering malicious or anomalous clients.\n"
},
"example": [
"t13d1516h2_8daaf6152771_02713d6af862"
]
}
}
},
"ssh": {
"type": "object",
"properties": {
"key": {
"type": "array",
"description": "This is the SSH key used.\n",
"example": [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1234567890"
],
"items": {
"type": "string"
}
},
"ja4ssh": {
"type": "array",
"items": {
"type": "string",
"description": "List of JA4SSH fingerprints observed in network traffic from the IP.\nJA4SSH captures SSH traffic patterns including packet lengths and\ndirections, useful for identifying SSH client behavior and detecting\nanomalous sessions.\n"
},
"example": [
"c76s76_c71s59_c0s0"
]
}
}
},
"tcp": {
"type": "object",
"properties": {
"ja4t": {
"type": "array",
"items": {
"type": "string",
"description": "List of JA4T TCP fingerprints observed in network traffic from the IP.\nJA4T captures TCP connection characteristics such as window size,\noptions, and MSS, useful for OS fingerprinting and identifying\nnetwork stacks.\n"
},
"example": [
"64240_2-1-3-1-1-4_1460_8"
]
},
"ja4l": {
"type": "string",
"description": "JA4L light distance/latency fingerprint observed in network traffic\nfrom the IP. Captures TCP TTL and window size characteristics, useful\nfor estimating client-server distance and identifying proxied\nconnections.\n",
"example": "1460_64"
}
}
},
"source": {
"properties": {
"bytes": {
"type": "integer",
"description": "The total amount of data transferred (in bytes) during the observed session or connection.\n",
"example": 1024
}
},
"example": "string"
}
}
}
}
}