How do I test a detection that uses GreyNoise enrichment in the Panther Console?
ANSWER
You can test your detection that uses GreyNoise enrichment in two ways:
- Artificially mark one or more IPs in your test event as having a certain GreyNoise classification, such as malicious.
- Fetch a real IP that GreyNoise has given a certain classification, such as malicious.
- With this approach, be aware that GreyNoise IP classifications can change.
Option 1: Artificially mark one or more IPs in your test event as having a certain GreyNoise classification
- In the Panther Console, navigate to Search or Data Explorer.
- Find a sample event. For example, look for a successful Okta sign-in event.
- Copy the event, and paste it in your detection as a unit test.
- In the test event JSON, paste in a fake p_enrichment struct that includes GreyNoise data.
- Modify the "classification" value to the classification of your choice, such as malicious or benign. For example:
"p_enrichment": {
"greynoise_noise_basic": {
"sourceIP": {
"ip": 1.2.3.4,
"actor": "bad actor",
"classification": "malicious"
}
}
}
- Click Run Test.
Option 2: Fetch a real IP that GreyNoise has given a certain classification
- In the Panther Console, navigate to Search or Data Explorer.
- Find a sample event. For example, look for a successful Okta sign-in event.
- Copy the event, and paste it in your detection as a unit test.
- In another browser window, navigate to GreyNoise Trending.
- Find a recent malicious IP address, and copy it.
- Back in the Panther Console, replace the IP addresses in the new unit test with the malicious IP address.
- You can use CMD+F to open the Panther Console's search and replace feature.
- Click Enrich Test Data to ensure the
p_enrichment
fields populate correctly. - Click Run Test.