QUESTION

I am a GreyNoise customer and have set up a GreyNoise custom Lookup Table in Panther. In the Panther Console, how do I test a detection that references GreyNoise enrichment data?

ANSWER

GreyNoise enrichment is in open beta starting with Panther version 1.117.

You can test your detection that uses GreyNoise enrichment in two ways:

1. Artificially mark one or more IPs in your test event as having a certain GreyNoise classification, such as malicious.

2. Fetch a real IP that GreyNoise has given a certain classification, such as malicious.

   • With this approach, be aware that GreyNoise IP classifications can change.

Option 1: Artificially mark one or more IPs in your test event as having a certain GreyNoise classification

1. In the Panther Console, navigate to Search or Data Explorer.

2. Find a sample event. For example, look for a successful Okta sign-in event.

3. Copy the event, and paste it in your detection as a unit test.

4. In the test event JSON, paste in a fake p_enrichment struct that includes GreyNoise data.

5. Modify the "classification" value to the classification of your choice, such as malicious or benign. For example:
   "p_enrichment": {
  "greynoise_noise_basic": {
    "sourceIP": {
      "ip": 1.2.3.4,
      "actor": "bad actor",
      "classification": "malicious"
    }
  }
}

6. Click Run Test.

Option 2: Fetch a real IP that GreyNoise has given a certain classification

1. In the Panther Console, navigate to Search or Data Explorer.

2. Find a sample event. For example, look for a successful Okta sign-in event.

3. Copy the event, and paste it in your detection as a unit test.

4. In another browser window, navigate to GreyNoise Trending.

5. Find a recent malicious IP address, and copy it.

6. Back in the Panther Console, replace the IP addresses in the new unit test with the malicious IP address.

   • You can use CMD+F to open the Panther Console's search and replace feature.

7. Click Enrich Test Data to ensure the p_enrichment fields populate correctly.

8. Click Run Test.