How can I add enrichment to my Panther detection test events in CI/CD and in the Panther Console?
QUESTION
How can I add enrichment to my Panther detection test events in the Panther Console without actually ingesting data? When developing detections outside of the Panther Console (locally using panther_analysis_tool (PAT)), how can I add enrichment (GreyNoise, IPInfo, lookup tables, etc.) to an event I wish to use as a test case?
ANSWER
CI/CD
You can use the PAT command enrich-test-data as of PAT version 0.26. See the documentation for limitations and other information: enrich-test-data: Enriching test data with Enrichment content.
Panther Console
While viewing the detection in the Console, click Enrich Test Data when creating a test to add enrichment to your event. See Enrich Test Data in our docs for more information.
For information specific to testing IPs with GreyNoise enrichment, see How do I test a detection that uses GreyNoise enrichment in the Panther Console?.