If I have an IP address, how can I check if the IP belongs to a known VPN service?
Our built-in IpInfo enrichment service offers functionality to determine if an IP address belongs to a known VPN. You can use IpInfo to check an address through querying the data lake, or through enrichment of events for detections.
NOTE: Currently, the Search Tool doesn't support this functionality; you must use the Data Explorer to run the query below.
You can check an IP using helper macros that come with the IpInfo tables.
The following example query checks to see if "184.10.3.10" is an IP address belonging to a VPN. You can use the same query, substituting the IP address with any value you choose:
SELECT
vpn
FROM
panther_lookups.public.ipinfo_privacy_datalake
WHERE
joinkey = PANTHER_LOOKUPS.PUBLIC.IPINFO_TO_IP(PANTHER_LOOKUPS.PUBLIC.IPINFO_TO_JOIN_KEY('184.10.3.10'))
AND
PANTHER_LOOKUPS.PUBLIC.IPINFO_TO_INT('184.10.3.10') BETWEEN
PANTHER_LOOKUPS.PUBLIC.IPINFO_TO_INT(startip)
AND PANTHER_LOOKUPS.PUBLIC.IPINFO_TO_INT(endip)
If IpInfo privacy enrichment is configured for your log type, then you can use one of our helper functions to determine if an IP address in the log event is from a VPN or not. Here's an example:
from panther_ipinfo_helpers import get_ipinfo_privacy
def rule(event):
privacy = get_ipinfo_privacy(event)
if not privacy:
# Return False if we don't have any VPN data for this IP
return False
is_vpn = privacy.vpn('clientIp')
return is_vpn