Knowledge BaseCommunityRelease NotesRequest Demo

GreyNoise Helper Function Usage and Methods

Overview

Panther has integrated Python helper functions to streamline the use of GreyNoise data in Python detections. This page describes how to use these functions, and what methods are available in the objects they create.

The helper functions described in this documentation act as proxies for accessing the p_enrichment field of the event object. None of the following methods directly query the GreyNoise API.

If you are writing YAML detections, you will not need the helper functions on this page. Instead, you will access GreyNoise enrichment fields using the Enrichment: key. Learn more about using enrichment in YAML here.

Creating GreyNoise objects in a rule

There are individual helpers for both GreyNoise datasets (Noise and RIOT). These functions create objects with methods that can be called to return relevant data from the dataset. Below is an example code snippet that shows the creation of these objects:

from panther_greynoise_helpers import (
    GetGreyNoiseObject, GetGreyNoiseRiotObject
    )

def rule(event):
    global noise
    global riot
    noise = GetGreyNoiseObject(event)
    riot = GetGreyNoiseRiotObject(event)

The global keyword is only needed if you intend to use the objects outside of the function in which they are declared.

Calling methods on the GreyNoise objects

The various components of the GreyNoise datasets are available via methods on the Noise and RIOT objects. It's possible for one event that your rule is processing to have multiple fields (such as IP addresses, source and destination IP in a network log). When calling the GreyNoise objects, make sure to specify which field you are looking for.

The example below demonstrates calling the classification method on the noise object we created in the previous example, to determine if the source IP address (src) is malicious and if the destination ip (dest) is in the RIOT dataset (meaning it is a known safe entity).

if noise.classification('src') == 'malicious':
    return True
if riot.is_riot('dest'):
    return False

If the event field being referenced is an array, then the helper function will return an array of the matching values. For example:

for classification in noise.classification('p_any_ip_addresses'):
    if classification == 'malicious':
        return True

Available methods

Noise Dataset

The following table shows the available methods for the GreyNoise Noise Object, their expected return values, and if they are available in the Basic or Advanced GreyNoise subscriptions.

All methods take the argument of the field you are searching for (src or dest in the example above) unless otherwise noted.

RIOT Dataset

The following table shows the available methods for the GreyNoise RIOT object, their expected return values, and if they are available in the Basic or Advanced GreyNoise subscriptions.

All methods take the argument of the field you are searching for (src or dest in the example above) unless otherwise noted.

PreviousBasic vs. AdvancedNextHow to Use GreyNoise to Enhance Detections

Last updated

#1924: [don't merge until ~Oct] Notion Logs (Beta)

Change request updated