Links

IPInfo (Beta)

Overview

IPInfo enrichment is in closed beta as of v1.48. Please share any bug reports and feature requests with your account team.
Panther has partnered with IPInfo, a trusted source for IP address data, to provide integrated IP related enrichment to Panther customers.
Use Panther detection capabilities with IPInfo enrichment data to reduce false-positive alerts by:
  • Cross-examining the current IP geolocation details of suspicious users to discover irregularities in profile information and blocking them.
  • Preemptively identifying and blocking traffic from high-risk locations or networks before they make it to you.
  • Accurately and reliably discovering other entities related to the target that may pose a security risk.
The IPInfo data sets are available to all Panther accounts at no additional cost and are disabled by default.

How IPInfo works

Similar to GreyNoise, Alert events are automatically enriched with both custom Lookup Tables and IPInfo data under the p_enrichment field in JSON events.
IPInfo data can be used in detections with pre-built Python helpers (and deep_get) to access enrichment information.
IPInfo data sets are stored as Panther-managed Lookup Tables in bulk, so there is no need to make API calls to leverage this enrichment in your detection logic or alerts.

IPInfo Datasets

There are two kinds of data available from IPInfo that add contextual information about IP addresses:
The data from IPInfo is updated once a day.

IPInfo Lookup Tables available in Panther

In Panther, there are IPInfo Lookup Tables available for the Python rules in the Detections Engine (these names end in detections_engine) and for data lake queries (these names end in datalake).
Use the data lake query Lookup Tables if you intend to JOIN data in SQL. See IPInfo's documentation on joins using the data lake tables.

How to enable IPInfo data sets

If you are using a CI/CD workflow, please see the CI/CD Users section below to learn about additional considerations.
To enable Analyst roles to view and manage IPInfo packages in the Panther Console, they will need to be assigned the View Lookups and Manage Lookups permissions.
To enable IPInfo Lookup Tables:
  1. 1.
    Log in to your Panther Console.
  2. 2.
    From the left sidebar menu, click Build > Packs.
    • On this page, you can see built-in packs available for IPInfo.
  3. 3.
    On the right side of the IPInfo tile you wish to enable, click the toggle to enable the pack.
  4. 4.
    Click Continue in the dialog that appears.
    • If you'd like to make additional changes through CI/CD with the panther_analysis_tool, please contact your Panther representative for more information.
  5. 5.
    To verify if the IPInfo data sets are enabled, from the left sidebar menu, click Configure > Enrichment Providers.
    • On this page, you can see Panther-managed enrichment sources (such as IPInfo). You can also see whether the sources are currently enabled or disabled and when a source’s data was last refreshed.
    • In the screen shot below, you can see the two source tables provided by IPInfo and the time they were last refreshed. Disabled data sets will not be refreshed.

CI/CD Users

Please note the following considerations:
  • CI/CD users do not need to use Detection Packs to get IPInfo Tables. You can pull in the latest release of panther-analysis and use the panther_analysis_tool (PAT) to upload the IPinfo Lookup Tables.
  • It is possible for CI/CD users to enable IPInfo Lookup Tables via Detection Packs, as long as you do not customize the IPInfo tables using PAT.
    • If you choose to manage IPInfo through PAT after enabling it in the Panther Console, you must first disable the Detection Packs in the Panther Console. Simultaneous use of both the Panther Console and PAT to manage GreyNoise is not supported.
  • For more information on how to manage IPInfo Lookup Tables, please see the IPInfo files in Panther's Github repository.

Examples

Example: Alert based on IPInfo location data

In this example, we create a rule that emits an alert on every login to the AWS console that is done from an unexpected country.
def rule(event):
global ipinfo_location
ipinfo_location = IPInfoLocation(event)
match_field = ""
if event.get("p_log_type") == "AWS.Cloudtrail":
match_field = "sourceIPAddress"
if event.get("eventname") == 'ConsoleLogin' and ipinfo_location.country(match_field) != "US":
return True
return False

IPInfo helper function usage and methods

Panther has integrated helper functions to streamline the use of IPInfo data.

Creating IPInfo object in rules

There are helper functions that create objects with methods that can be called to return relevant data from the dataset.
Below is an example code snippet that shows the creation of these objects:
from panther_ipinfo_helpers import (IPInfoASN, IPInfoLocation, geoinfo_from_ip)
def rule(event):
global ipinfo_location
global ipinfo_asn
ipinfo_location = IPInfoLocation(event)
ipinfo_asn = IPInfoASN(event)
Note that global statements are only needed if you intend to use the objects outside of the function in which they were declared.

Calling Methods on the IPInfo Objects

The various components of the IPInfo datasets are available via methods on the _location and _asn objects. It's possible for one event that your rule is processing to have multiple fields (such as IP addresses, source, and destination IP in a network log). When calling the IPInfo objects, make sure to specify which field you are looking for.
The example below demonstrates calling all helper methods on the ipinfo_location and ipinfo_asn objects we created in the previous example, to get all the enrichment information available in the detection's rule.
match_field = ""
if event.get("p_log_type") == "AWS.Cloudtrail":
match_field = "sourceIPAddress"
if ipinfo_location:
city = ipinfo_location.city(match_field)
country = ipinfo_location.country(match_field)
latitude = ipinfo_location.latitude(match_field)
longitude = ipinfo_location.longitude(match_field)
postal_code = ipinfo_location.postal_code(match_field)
region = ipinfo_location.region(match_field)
region_code = ipinfo_location.region_code(match_field)
timezone = ipinfo_location.timezone(match_field)
if ipinfo_asn:
asn = ipinfo_asn.asn(match_field)
domain = ipinfo_asn.domain(match_field)
name = ipinfo_asn.name(match_field)
route = ipinfo_asn.route(match_field)
asn_type = ipinfo_asn._type(match_field)
The next example uses the geoinfo_from_ip() function that returns a dictionary with geolocation information that is the same format as panther_oss_helper.geoinfo_from_ip() except it does not provide hostname and anycast fields.
result = geoinfo_from_ip(event, "sourceIPAddress")

Available Methods

The following tables shows the available methods for the IPInfo Location and ASN Objects, their descriptions, and expected return values.
All methods take the argument of the field you are searching for.

Location

Location method
Return type
Example
city
String
"San Francisco"
country
String
"US"
latitude
String
"37.7812"
longitude
String
"-122.4614"
postal_code
String
"94118"
region
String
"California"
region_code
String
"CA"
timezone
String
"America/Los_Angeles"
context
Object
a dictionary that contains all of the above fields with capitalized method name as a key, e.g.: {
"City":"San Francisco", ...
}

ASN

ASN method
Return type
Example
asn
String
"AS7018"
domain
String
"att.com"
name
String
"AT&T Services, Inc."
route
String
"107.128.0.0/12"
type
String
"isp"
context
Object
a dictionary that contains all of the above fields with capitalized method name as a key, e.g.: {
"ASN":"AS7018",
"Domain" : "att.com", ...
}