Use IPinfo enrichment data in your Panther detections to reduce false-positive alerts by:
- Cross-examining the current IP geolocation details of suspicious users to discover irregularities in profile information and blocking them.
- Preemptively identifying and blocking traffic from high-risk locations or networks before they make it to you.
- Accurately and reliably discovering other entities related to the target that may pose a security risk.
The IPinfo data sets are available to all Panther accounts at no additional cost and are disabled by default.
The data from IPinfo is updated once a day.
There are three data types available from IPinfo that add contextual information about IP addresses:
To enable Analyst roles to view and manage IPinfo packages in the Panther Console, they will need to be assigned the View Lookups and Manage Lookups permissions.
To enable IPinfo Panther-managed Lookup Tables:
- 1.Log in to your Panther Console.
- 2.From the left sidebar menu, click Build > Packs.
- On this page, you can see built-in packs available for IPinfo.
- 3.On the right side of the IPInfo tile you wish to enable, click the toggle to enable the pack.
- 4.Click Continue in the dialog that appears.
- 5.To verify if the IPinfo data sets are enabled, from the left sidebar menu, click Configure > Enrichment Providers.
- On this page, you can see Panther-managed enrichment sources (such as IPinfo). You can also see whether the sources are currently enabled or disabled and when a source’s data was last refreshed.
- The six IPinfo source tables are visible, as well as the time they were last refreshed. Disabled data sets will not be refreshed.
ipinfo_privacytables are used for real-time lookups in the detection engine.
ipinfo_privacy_datalaketables are used for querying and joining to IPinfo data in the datalake.