QUESTION

In the Panther Console, how do I test a detection that uses GreyNoise enrichment?

ANSWER

You can test your detection that uses GreyNoise enrichment in two ways:

  1. Artificially mark one or more IPs in your test event as having a certain GreyNoise classification, such as malicious.

  2. Fetch a real IP that GreyNoise has given a certain classification, such as malicious.

    • With this approach, be aware that GreyNoise IP classifications can change.

Option 1: Artificially mark one or more IPs in your test event as having a certain GreyNoise classification
  1. In the Panther Console, navigate to Search or Data Explorer.

  2. Find a sample event. For example, look for a successful Okta sign-in event.

  3. Copy the event, and paste it in your detection as a unit test.

  4. In the test event JSON, paste in a fake p_enrichment struct that includes GreyNoise data.

  5. Modify the "classification" value to the classification of your choice, such as malicious or benign. For example:
    "p_enrichment": {
      "greynoise_noise_basic": {
        "sourceIP": {
          "ip": 1.2.3.4,
          "actor": "bad actor",
          "classification": "malicious"
        }
      }
    }

  6. Click Run Test.

Option 2: Fetch a real IP that GreyNoise has given a certain classification
  1. In the Panther Console, navigate to Search or Data Explorer.

  2. Find a sample event. For example, look for a successful Okta sign-in event.

  3. Copy the event, and paste it in your detection as a unit test.

  4. In another browser window, navigate to GreyNoise Trending.

  5. Find a recent malicious IP address, and copy it.

  6. Back in the Panther Console, replace the IP addresses in the new unit test with the malicious IP address.

    • You can use CMD+F to open the Panther Console's search and replace feature.

  7. Click Enrich Test Data to ensure the p_enrichment fields populate correctly.

  8. Click Run Test.