How can I add enrichment to my Panther detection test events in the Panther Console without actually ingesting data? When developing detections outside of the Panther Console (locally using panther_analysis_tool (PAT)), how can I add enrichment (IPInfo, Anomali ThreatStream, custom lookup tables, etc.) to an event I wish to use as a test case?
You can use the PAT command enrich-test-data as of PAT version 0.26. See the documentation for limitations and other information: enrich-test-data: Enriching test data with Enrichment content.
While viewing the detection in the Console, click Enrich Test Data when creating a test to add enrichment to your event. See Enrich Test Data in our docs for more information.
If you have set up a custom lookup table for GreyNoise data, see📄 How do I test a detection that uses GreyNoise enrichment in the Panther Console?
The Okta information stored in the Panther-managed Lookup Tables can be referred to in detection logic and search queries. Any custom attributes that you add to Okta’s user profile will get ingested into Panther. You can customize user profiles in Okta by following their documentation.
Our documentation provides steps on both viewing stored enrichment data and exploring the enrichment data associated with a particular event value using Search.
Here is an example of using Okta profile data in a detection. If you’re looking to recreate the event as it would appear in a detection, you can enrich the log event as a unit test.