Can I make an external enrichment API call within a Panther detection instead of using a custom enrichment?

QUESTION

Can I make an external enrichment API call within a detection (e.g IPinfo) instead of using a custom enrichment?

ANSWER

While it’s technically possible, we generally do not recommend it due to performance concerns. When working under high load, calling external APIs can become unreliable and lead to delays in your detections. This is because external APIs often have usage limits that can be reached unexpectedly, slowing down the detections engine and consequently the entire detection process.