IPinfo
Overview
Panther has partnered with IPinfo, a trusted source for IP address data, to provide integrated IP related enrichment to Panther customers. The IPinfo integration is an Enrichment Provider, also known as a Panther-managed Lookup Table.
Use IPinfo enrichment data in your Panther detections to reduce false-positive alerts by:
Cross-examining the current IP geolocation details of suspicious users to discover irregularities in profile information and blocking them.
Preemptively identifying and blocking traffic from high-risk locations or networks before they make it to you.
Accurately and reliably discovering other entities related to the target that may pose a security risk.
The IPinfo data sets are available to all Panther accounts at no additional cost and are disabled by default. Learn how to view stored Enrichment Provider data here, and how to view log events with enrichment data here.
How IPinfo works
Alert events are automatically enriched with IPinfo data within the p_enrichment
field in JSON events.
IPinfo data can be accessed in detections with pre-built Python helpers (and deep_get
).
IPinfo datasets are stored as Panther-managed Lookup Tables in bulk, so there is no need to make API calls to leverage this enrichment in your detection logic or alerts.
The data from IPinfo is updated once a day.
IPinfo datasets
There are three data types available from IPinfo that add contextual information about IP addresses:
How to enable IPinfo datasets
If you are using a CI/CD workflow, please see the CI/CD Users section below to learn about additional considerations.
To enable Analyst roles to view and manage IPinfo packages in the Panther Console, they will need to be assigned the View Lookups and Manage Lookups permissions.
To enable IPinfo Panther-managed Lookup Tables:
In the left-hand navigation bar of your Panther Console, click Detections.
Click the Packs tab.
On this page, you can see built-in packs available for IPinfo.
On the right side of the IPInfo tile you wish to enable, click the toggle to enable the pack.
Click Continue in the dialog that appears.
If you'd like to make additional changes through CI/CD with the Panther Analysis Tool (PAT), please contact your Panther representative for more information.
To verify if the IPinfo data sets are enabled, from the left sidebar menu, click Configure > Enrichment Providers.
On this page, you can see Panther-managed enrichment sources (such as IPinfo). You can also see whether the sources are currently enabled or disabled and when a source’s data was last refreshed.
The six IPinfo source tables are visible, as well as the time they were last refreshed. Disabled data sets will not be refreshed.
The
ipinfo_asn
,ipinfo_location
andipinfo_privacy
tables are used for real-time lookups in the detection engine.The
ipinfo_asn_datalake
,ipinfo_location_datalake
andipinfo_privacy_datalake
tables are used for querying and joining to IPinfo data in the datalake.
CI/CD users
To enable the IPinfo Enrichment Provider in the CLI workflow, see the Managing Lookup Tables and Enrichment Providers with the Panther Analysis Tool guide.
Please note the following considerations:
CI/CD users do not need to use Detection Packs to get IPinfo Tables. You can pull in the latest release of
panther-analysis
and use thepanther_analysis_tool
(PAT) to upload the IPinfo Lookup Tables.To enable the IPinfo Tables using the
panther-analysis
repo, make sure to open each corresponding YAML configuration file and setenabled: true
.
It is possible for CI/CD users to enable IPinfo Lookup Tables via Detection Packs, as long as you do not customize the IPinfo tables using PAT.
If you choose to manage IPinfo through PAT after enabling it in the Panther Console, you must first disable the Detection Packs in the Panther Console. Simultaneous use of both the Panther Console and PAT to manage IPinfo is not supported.
For more information on how to manage IPinfo Lookup Tables, please see the IPinfo files in Panther's GitHub repository.
How to query IPinfo data in the data lake
There are three IPinfo tables in the data lake:
ipinfo_asn_datalake
ipinfo_location_datalake
ipinfo_privacy_datalake
For each of the above tables, there is also a <table>_history
table that records all changes.
Using a joinkey
joinkey
When querying the data lake for IPinfo data, you must use a joinkey
to make the queries efficient. The following user-defined functions make setting a joinkey
easier:
PANTHER_LOOKUPS.PUBLIC.IPINFO_RANGE_TO_CIDR
PANTHER_LOOKUPS.PUBLIC.IPINFO_TO_INT
PANTHER_LOOKUPS.PUBLIC.IPINFO_TO_IP
Note: IPinfo's code for
TO_IP
supports IPv4 only.
PANTHER_LOOKUPS.PUBLIC.IPINFO_TO_JOIN_KEY
See an example showing how to query the data lake using a joinkey
below.
Examples
Example: Alert based on IPinfo location data
In this example, we create a rule that emits an alert on every login to the AWS console that is done from an unexpected country.
Example: Query the data lake for IPinfo data using a joinkey
joinkey
To look up the IP 71.114.47.25
, you will need to specify a joinkey
and range.
To join to another table, follow the same pattern as above, but use the IP address in the log table.
IPinfo Python helper function usage and methods
Panther has integrated helper functions to streamline the use of IPInfo data in the real-time detection engine.
Creating IPinfo objects in a Python rule
There are helper functions that create objects with methods that can be called to return relevant data from the dataset.
Below is an example code snippet that shows the creation of these objects:
The global
keyword is only needed if you intend to use the objects outside of the function in which they are declared.
Calling methods on the IPinfo objects
The various components of the IPinfo datasets are available via methods on the _location
and _asn
objects. It's possible for one event that your rule is processing to have multiple fields (such as IP addresses, source, and destination IP in a network log). When calling the IPInfo objects, make sure to specify which field you are looking for.
The example below demonstrates calling all helper methods on the ipinfo_location
and ipinfo_asn
objects we created in the previous example, to get all the enrichment information available in the detection's rule.
The next example uses the geoinfo_from_ip()
function that returns a dictionary with geolocation information in the same format as panther_oss_helper.geoinfo_from_ip()
, except it does not provide hostname
and anycast
fields.
If the event field being referenced is an array, then the helper function will return an array of the matching values. For example:
Available methods
The following tables shows the available methods for the IPinfo Location, ASN and Privacy Objects, their descriptions, and expected return values.
All methods take the argument of the field you are searching for.
Location
city
String
"San Francisco"
country
String
"US"
latitude
String
"37.7812"
longitude
String
"-122.4614"
postal_code
String
"94118"
region
String
"California"
region_code
String
"CA"
timezone
String
"America/Los_Angeles"
context
Object
a dictionary that contains all of the above fields with capitalized method name as a key, e.g.: {
"City":"San Francisco", ...
}
ASN
asn
String
"AS7018"
domain
String
"att.com"
name
String
"AT&T Services, Inc."
route
String
"107.128.0.0/12"
type
String
"isp"
context
Object
a dictionary that contains all of the above fields with capitalized method name as a key, e.g.: {
"ASN":"AS7018",
"Domain" : "att.com", ...
}
Privacy
hosting
boolean
true
proxy
boolean
false
tor
boolean
true
vpn
boolean
false
relay
boolean
true
service
string
"NordVPN"
Last updated