How can I add enrichment to my Panther detection test events in CI/CD and in the Panther Console?
QUESTION
How can I add enrichment to my Panther detection test events in the Panther Console without actually ingesting data? When developing detections outside of the Panther Console (locally using panther_analysis_tool (PAT)), how can I add enrichment (GreyNoise, IPInfo, lookup tables, etc.) to an event I wish to use as a test case?
ANSWER
CI/CD
You can use the PAT command enrich-test-data as of PAT version 0.26. See the documentation for limitations and other information: enrich-test-data: Enriching test data with Enrichment content.
Panther Console
While viewing the detection in the Console, click Enrich Test Data when creating a test to add enrichment to your event. See Enrich Test Data in our docs for more information.
For information specific to testing IPs with GreyNoise enrichment, see How do I test a detection that uses GreyNoise enrichment in the Panther Console?.
The Okta information stored in the Panther-managed Lookup Tables can be referred to in detection logic and search queries. Any custom attributes that you add to Okta’s user profile will get ingested into Panther. You can customize user profiles in Okta by following their documentation.
Our documentation provides steps on both viewing stored enrichment data and exploring the enrichment data associated with a particular event value using Search.
Here is an example of using Okta profile data in a detection. If you’re looking to recreate the event as it would appear in a detection, you can enrich the log event as a unit test.