# GreyNoise Helper Function Usage and Methods

## Overview

Panther has integrated helper functions to streamline the use of GreyNoise data. This page describes how to use these functions, and what methods are available in the objects they create.

The helper functions described in this documentation act as proxies for accessing the `p_enrichment` field of the event object. None of the following methods directly query the GreyNoise API.

## Creating GreyNoise objects in a rule

There are individual helpers for both GreyNoise datasets (Noise and RIOT). These functions create objects with methods that can be called to return relevant data from the dataset. Below is an example code snippet that shows the creation of these objects:

```python
from panther_greynoise_helpers import (
    GetGreyNoiseObject, GetGreyNoiseRiotObject
    )

def rule(event):
    global noise
    global riot
    noise = GetGreyNoiseObject(event)
    riot = GetGreyNoiseRiotObject(event)
```

The `global` keyword is only needed if you intend to use the objects outside of the function in which they are declared.

## Calling methods on the GreyNoise objects

The various components of the GreyNoise datasets are available via methods on the Noise and RIOT objects. It's possible for one event that your rule is processing to have multiple fields (such as IP addresses, source and destination IP in a network log). When calling the GreyNoise objects, make sure to specify which field you are looking for. 

The example below demonstrates calling the `classification` method on the `noise` object we created in the previous example, to determine if the source IP address (`src`) is malicious and if the destination ip (`dest`) is in the RIOT dataset (meaning it is a known safe entity).

```python
if noise.classification('src') == 'malicious':
    return True
if riot.is_riot('dest'):
    return False
```

If the event field being referenced is an array, then the helper function will return an array of the matching values. For example:

```python
for classification in noise.classification('p_any_ip_addresses'):
    if classification == 'malicious':
        return True
```

## Available methods

### Noise Dataset

The following table shows the available methods for the GreyNoise Noise Object, their expected return values, and if they are available in the Basic or Advanced GreyNoise subscriptions. 

All methods take the argument of the field you are searching for (`src` or `dest` in the example above) unless otherwise noted.

<table><thead><tr><th width="227.66666666666669">Noise Method</th><th>Basic or Advanced?</th><th width="228.33333333333331">Noise Return Type and Description</th></tr></thead><tbody><tr><td>subscription_level</td><td>Both</td><td><p><strong>Takes no arguments</strong></p><p>Returns String "advanced" or "basic" depending on Subscription level</p></td></tr><tr><td>ip_address</td><td>Both</td><td>Returns String <br>IP address that was matched</td></tr><tr><td>ip_addresses</td><td>Both</td><td>Returns List<br>A List of IP Addresses and associated information</td></tr><tr><td>actor</td><td>Both</td><td>The confirmed owner/operator of this IP address</td></tr><tr><td>classification</td><td>Both</td><td><p>Returns String</p><p>IP Classification - possible options: benign, unknown, malicious</p></td></tr><tr><td>url</td><td>Both</td><td>Returns String<br>Url to the GreyNoise entry for this IP</td></tr><tr><td>is_bot</td><td>Advanced</td><td>Returns Boolean<br>IP is associated with known bot activity</td></tr><tr><td>cve_string</td><td>Advanced</td><td><p>Returns String</p><p>Additional, Optional Argument: limit Default value: 10<br>Space separated string of CVEs the IP has been observed scanning for or exploiting</p></td></tr><tr><td>cve_list</td><td>Advanced</td><td>Returns List<br>Returns all CVEs the IP has been observed scanning for or exploiting</td></tr><tr><td>first_seen</td><td>Advanced</td><td>Returns Datetime.date object<br>Date of the first observed behavior on the GreyNoise Sensor network</td></tr><tr><td>last_seen<em>_</em>timestamp</td><td>Advanced</td><td>Returns Datetime.date object<br>Date of last observed behavior on the GreyNoise Sensor network</td></tr><tr><td>asn</td><td>Advanced</td><td>Returns String<br>ASN number of IP</td></tr><tr><td>category</td><td>Advanced </td><td>Returns String<br>Category of service that IP falls into, such as "hosting"</td></tr><tr><td>city</td><td>Advanced</td><td>Returns String<br>City where IP is physically located</td></tr><tr><td>country</td><td>Advanced</td><td>Returns String<br>Country where IP is Physically located</td></tr><tr><td>country_code</td><td>Advanced</td><td>Returns String<br>Two letter Country Code where IP is Physically located</td></tr><tr><td>organization</td><td>Advanced</td><td>Returns String<br>Organization that owns the IP</td></tr><tr><td>operating_system</td><td>Advanced</td><td>Returns String<br>Operating System that has been observed using the IP</td></tr><tr><td>region</td><td>Advanced</td><td>Returns String <br>State, Province, or other Regional identifier associated with the IP<br></td></tr><tr><td>is_tor</td><td>Advanced</td><td>Returns Boolean<br>If IP is a part of the TOR network, usually an exit node</td></tr><tr><td>tags_list</td><td>Advanced</td><td>Returns List<br>GreyNoise tags associated with IP</td></tr><tr><td>tags_string</td><td>Advanced</td><td>Returns String<br>Optional Argument: limit<br>Default: 10<br>Space separated string of GreyNoise tags associated with the IP</td></tr><tr><td>is_vpn</td><td>Advanced</td><td>Returns Boolean<br>If IP is associated with a VPN service</td></tr><tr><td>vpn_service</td><td>Advanced</td><td>Returns String<br>VPN service associated with IP, if any</td></tr></tbody></table>

### RIOT Dataset

The following table shows the available methods for the GreyNoise RIOT object, their expected return values, and if they are available in the Basic or Advanced GreyNoise subscriptions.&#x20;

All methods take the argument of the field you are searching for (`src` or `dest` in the example above) unless otherwise noted.

| RIOT Method         | Basic or Advanced? | RIOT Return Type and Description                                                                                                                                                                                                               |
| ------------------- | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| subscription\_level | Both               | <p><strong>Takes no Arguments</strong><br>Returns String "advanced" or "basic" depending on Subscription level</p>                                                                                                                             |
| is\_riot            | Both               | <p>Returns Boolean<br>Indicates if an IP is part of the Riot dataset</p>                                                                                                                                                                       |
| ip\_address         | Both               | <p>Returns String<br>IP that was matched</p>                                                                                                                                                                                                   |
| name                | Both               | <p>Returns String<br>The name of the Provider or service associated with the IP</p>                                                                                                                                                            |
| url                 | Both               | <p>Returns String<br>Url to the GreyNoise entry for this IP</p>                                                                                                                                                                                |
| last\_updated       | Both               | <p>Returns Datetime.date object<br>Date and time when this record was last updated from its source</p>                                                                                                                                         |
| description         | Advanced           | <p>Returns String<br>A description of the provider and what they do</p>                                                                                                                                                                        |
| explanation         | Advanced           | <p>Returns String</p><p>An explanation of the category type and what may be expected from this provider and category</p>                                                                                                                       |
| reference           | Advanced           | <p>Returns String<br>Reference URL for information about this provider and/or service</p>                                                                                                                                                      |
| trust\_level        | Advanced           | <p>Returns Integer<br>Defines the trust level assigned to this IP/provider, either 1 or 2. Additional information on trust levels can be found <a href="https://docs.greynoise.io/docs/understanding-greynoise-riot-trust-levels">here</a></p> |
|                     |                    |                                                                                                                                                                                                                                                |