In the Panther Console, how do I test a detection that uses GreyNoise enrichment?
You can test your detection that uses GreyNoise enrichment in two ways:
Artificially mark one or more IPs in your test event as having a certain GreyNoise classification, such as malicious.
Fetch a real IP that GreyNoise has given a certain classification, such as malicious.
With this approach, be aware that GreyNoise IP classifications can change.
In the Panther Console, navigate to Search or Data Explorer.
Find a sample event. For example, look for a successful Okta sign-in event.
Copy the event, and paste it in your detection as a unit test.
In the test event JSON, paste in a fake p_enrichment struct that includes GreyNoise data.
Modify the "classification" value to the classification of your choice, such as malicious or benign. For example:"p_enrichment": {
"greynoise_noise_basic": {
"sourceIP": {
"ip": 1.2.3.4,
"actor": "bad actor",
"classification": "malicious"
}
}
}
Click Run Test.
In the Panther Console, navigate to Search or Data Explorer.
Find a sample event. For example, look for a successful Okta sign-in event.
Copy the event, and paste it in your detection as a unit test.
In another browser window, navigate to GreyNoise Trending.
Find a recent malicious IP address, and copy it.
Back in the Panther Console, replace the IP addresses in the new unit test with the malicious IP address.
You can use CMD+F to open the Panther Console's search and replace feature.
Click Enrich Test Data to ensure the p_enrichment
fields populate correctly.
Click Run Test.