Why am I getting errors with "HTTP code 429 (TOO MANY REQUESTS)" for my Panther detection using the IPinfo API?

Issue

I have a detection function which uses the IPinfo API to get information. This detection has been receiving errors with HTTP code 429 ("TOO MANY REQUESTS"), indicating rate limiting. Why is this happening and how can I fix it?

Resolution

You can avoid using API calls in your detection, and therefore the rate limiting, by implementing the IPinfo enrichment provider. This will automatically add IPinfo contextual data to any IP addresses that are detected in your log event, which you can then access during your detection.

For information on how to configure this in your Panther instance, check out our documentation page on IPinfo enrichment.

Cause

The free tier of IPinfo has a relatively low threshold for rate limiting, and it's easy to hit this limit when using their API in your Panther detections. For each log type you map your detection to, Panther will run your rule function for every event of that type, meaning that you are potentially making IPinfo requests for each event! This can add up very quickly.

Sometimes you may not observe any rate limiting, and then it suddenly becomes an issue. In such cases, it's possible that you recently had an increase in volume for log events of those log types; for example: onboarding a new CloudTrail source.

Using the built-in IPinfo enrichment, you bypass the need to make requests directly to IPinfo itself.