QUESTION

If I have an IP address, how can I check if the IP belongs to a known VPN service?

ANSWER

Our built-in IpInfo enrichment service offers functionality to determine if an IP address belongs to a known VPN. You can use IpInfo to check an address through querying the data lake, or through enrichment of events for detections.

Querying the Data Lake

NOTE: Currently, the Search Tool doesn't support this functionality; you must use the Data Explorer to run the query below.

You can check an IP using helper macros that come with the IpInfo tables.

The following example query checks to see if "184.10.3.10" is an IP address belonging to a VPN. You can use the same query, substituting the IP address with any value you choose:

SELECT
  vpn
FROM
  panther_lookups.public.ipinfo_privacy_datalake
WHERE
  joinkey = PANTHER_LOOKUPS.PUBLIC.IPINFO_TO_IP(PANTHER_LOOKUPS.PUBLIC.IPINFO_TO_JOIN_KEY('184.10.3.10'))
  AND
  PANTHER_LOOKUPS.PUBLIC.IPINFO_TO_INT('184.10.3.10') BETWEEN
    PANTHER_LOOKUPS.PUBLIC.IPINFO_TO_INT(startip)
      AND PANTHER_LOOKUPS.PUBLIC.IPINFO_TO_INT(endip)

Using Enrichment in your Detections

If IpInfo privacy enrichment is configured for your log type, then you can use one of our helper functions to determine if an IP address in the log event is from a VPN or not. Here's an example:

from panther_ipinfo_helpers import get_ipinfo_privacy


def rule(event):
    privacy = get_ipinfo_privacy(event)
    if not privacy:
        # Return False if we don't have any VPN data for this IP
        return False
    is_vpn = privacy.vpn('clientIp')
    return is_vpn