How can I use Panther to determine if an IP belongs to a VPN?
QUESTION
If I have an IP address, how can I check if the IP belongs to a known VPN service?
ANSWER
Our built-in IpInfo enrichment service offers functionality to determine if an IP address belongs to a known VPN. You can use IpInfo to check an address through querying the data lake, or through enrichment of events for detections.
Querying the Data Lake
NOTE: Currently, the Query Builder doesn't support this functionality; you must use the Data Explorer to run the query below.
You can check an IP using helper macros that come with the IpInfo tables.
The following example query checks to see if "184.10.3.10" is an IP address belonging to a VPN. You can use the same query, substituting the IP address with any value you choose:
SELECT vpn FROM panther_lookups.public.ipinfo_privacy_datalake WHERE joinkey = PANTHER_LOOKUPS.PUBLIC.IPINFO_TO_IP(PANTHER_LOOKUPS.PUBLIC.IPINFO_TO_JOIN_KEY('184.10.3.10')) AND PANTHER_LOOKUPS.PUBLIC.IPINFO_TO_INT('184.10.3.10') BETWEEN PANTHER_LOOKUPS.PUBLIC.IPINFO_TO_INT(startip) AND PANTHER_LOOKUPS.PUBLIC.IPINFO_TO_INT(endip)
Using Enrichment in your Detections
If IpInfo privacy enrichment is configured for your log type, then you can use one of our helper functions to determine if an IP address in the log event is from a VPN or not. Here's an example:
from panther_ipinfo_helpers import get_ipinfo_privacy def rule(event): privacy = get_ipinfo_privacy(event) if not privacy: # Return False if we don't have any VPN data for this IP return False is_vpn = privacy.vpn('clientIp') return is_vpn