GreyNoise Intelligence · Schema
TimeSeriesIntelligence
Intelligence data for an IP in the timeseries dataset
SecurityThreat IntelligenceCybersecurityIP ReputationVulnerability ManagementNetwork TelemetrySOC AutomationPublic APIs
Properties
| Name | Type | Description |
|---|---|---|
| first_seen | string | The earliest date GreyNoise observed any activity from this IP. |
| last_seen | string | The most recent date GreyNoise observed any activity from this IP. |
| found | boolean | Indicates if the IP was observed scanning the GreyNoise sensor network. Also referred to as 'noise'. |
| tags | array | A list of activity/malware tags GreyNoise has applied to this IP. |
| actor | string | The overt actor this IP is associated with. |
| spoofable | boolean | This IP address has been opportunistically scanning the Internet, however has failed to complete a full TCP connection. Any reported activity could be spoofed. |
| classification | string | The classification of the IP address, either "benign", "malicious", or "unknown", based on the activity observed by GreyNoise. |
| cves | array | A list of CVEs associate with this IP. |
| vpn | boolean | This IP is associated with a VPN service. Activity, malicious or otherwise, should not be attributed to the VPN service provider. |
| vpn_service | string | Name of associated VPN Service. |
| tor | boolean | Whether or not the device is a known Tor exit node. |
| last_seen_timestamp | string | The timestamp of the last observed activity from this IP. |
| metadata | object | |
| raw_data | object |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://api-evangelist.github.io/greynoise/json-schema/greynoise-time-series-intelligence-schema.json",
"title": "TimeSeriesIntelligence",
"type": "object",
"description": "Intelligence data for an IP in the timeseries dataset",
"properties": {
"first_seen": {
"type": "string",
"description": "The earliest date GreyNoise observed any activity from this IP.",
"format": "date",
"example": "2018-01-28"
},
"last_seen": {
"type": "string",
"description": "The most recent date GreyNoise observed any activity from this IP.",
"format": "date",
"example": "2018-02-28"
},
"found": {
"type": "boolean",
"description": "Indicates if the IP was observed scanning the GreyNoise sensor network. Also referred to as 'noise'.",
"example": true
},
"tags": {
"type": "array",
"items": {
"type": "string"
},
"description": "A list of activity/malware tags GreyNoise has applied to this\nIP.\n",
"example": [
"Mirai",
"Telnet Worm"
]
},
"actor": {
"type": "string",
"description": "The overt actor this IP is associated with.",
"example": "Shodan.io"
},
"spoofable": {
"type": "boolean",
"description": "This IP address has been opportunistically scanning the Internet, however has failed to complete a full TCP connection. Any reported activity could be spoofed.",
"example": true
},
"classification": {
"type": "string",
"description": "The classification of the IP address, either \"benign\", \"malicious\", or \"unknown\", based on the activity observed by GreyNoise.",
"enum": [
"benign",
"malicious",
"unknown"
],
"example": "benign"
},
"cves": {
"type": "array",
"items": {
"type": "string"
},
"description": "A list of CVEs associate with this IP.",
"example": [
"CVE-2020-1234",
"CVE-2021-2345"
]
},
"vpn": {
"type": "boolean",
"description": "This IP is associated with a VPN service. Activity, malicious or otherwise, should not be attributed to the VPN service provider.",
"example": true
},
"vpn_service": {
"type": "string",
"description": "Name of associated VPN Service.",
"example": "IPVANISH_VPN"
},
"tor": {
"type": "boolean",
"description": "Whether or not the device is a known Tor exit node.",
"example": false
},
"last_seen_timestamp": {
"type": "string",
"description": "The timestamp of the last observed activity from this IP.",
"format": "date-time",
"example": "2025-01-15T12:30:45Z"
},
"metadata": {
"$ref": "./greynoise-metadata-v3-schema.json#"
},
"raw_data": {
"$ref": "./greynoise-time-series-raw-data-schema.json#"
}
}
}