QUESTION

My Panther detection is generating one of the following:

• When using geoinfo_from_ip from panther_ipinfo_helpers, a "PantherIPInfoException: Please enable both IPInfo Location and ASN Enrichment Providers" error

• When using IPInfoLocation(), a Null result

How do I fix this?

ANSWER

To successfully use IPInfo enrichment functions in your Panther detections, please ensure IPinfo has been enabled.

The IPinfo helper functions rely on the IPinfo enrichment provider (and its Data Lake variants) having been enabled in your Panther instance. If these are not enabled, the helpers will either throw an error or return null.

For geoinfo_from_ip: This function depends on both ipinfo_location and ipinfo_asn. Make sure to enable these along with their corresponding _datalake enrichment providers.

Alternative approach

Instead of using geoinfo_from_ip, you can access the enrichment data directly in your detection using deep_get on the p_enrichment object. Functionally, both approaches are the same, as the helper functions are essentially just wrappers around the original enrichment object. However, using the IPInfo helper functions provides extra benefits, such as type hints and autocomplete in IDEs, which can make development easier.