If I have an IP address, how can I check if the IP belongs to a known VPN service?
Our built-in IpInfo enrichment service offers functionality to determine if an IP address belongs to a known VPN. You can use IpInfo to check an address through querying the data lake, or through enrichment of events for detections.
Querying the Data Lake
You can check an IP using helper macros that come with the IpInfo tables.
The following example query checks to see if "126.96.36.199" is an IP address belonging to a VPN. You can use the same query, substituting the IP address with any value you choose:
SELECT vpn FROM panther_lookups.public.ipinfo_privacy_datalake WHERE joinkey = PANTHER_LOOKUPS.PUBLIC.IPINFO_TO_IP(PANTHER_LOOKUPS.PUBLIC.IPINFO_TO_JOIN_KEY('188.8.131.52')) AND PANTHER_LOOKUPS.PUBLIC.IPINFO_TO_INT('184.108.40.206') BETWEEN PANTHER_LOOKUPS.PUBLIC.IPINFO_TO_INT(startip) AND PANTHER_LOOKUPS.PUBLIC.IPINFO_TO_INT(endip)
Using Enrichment in your Detections
from panther_ipinfo_helpers import get_ipinfo_privacy def rule(event): privacy = get_ipinfo_privacy(event) if not privacy: # Return False if we don't have any VPN data for this IP return False is_vpn = privacy.vpn('clientIp') return is_vpn