2/10/2025: Greynoise Enrichment Provider Errors
Last updated: February 10, 2025
If you are receiving the following error from your GreyNoise Enrichment Provider:
cannot assume role arn:aws:iam::123456789:role/panther-greynoise-full-access-role
for refresh: operation error STS: AssumeRole, https response error StatusCode:
403, RequestID: 123dwe56-1abc-12d4-abcd-123abcde038, api error AccessDenied:
User: arn:aws:sts::123456789:assumed-role/panther-LogAnalysis-1CEAA-LookupTablesApiFunctionR-1W6Y0KPYKK73K/panther-lookup-tables-api
is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789:role/panther-greynoise-full-access-roleThis alert is due to a change we made to fully remove the deprecated GreyNoise Enrichment Provider from our system.
As announced in May 2024, Panther sunsetted native GreyNoise enrichment on June 17, 2024. Since then, this lookup table has not been actively receiving data.
We recommend taking the following steps to prevent errors:
Delete the GreyNoise Lookup Tables in the Enrichment Provider page.
Update any custom detections using the GreyNoise tables and disabling and managed detections if they are still present in your console.
Panther has deprecated our four Panther-managed detections that reference GreyNoise data. If any of these detections are enabled in your Panther instance, it is strongly recommended to disable them:
AWS.S3.GreyNoiseActivity
Cloudflare.HttpRequest.BotHighVolumeGreyNoise
Cloudflare.Firewall.HighVolumeEventsBlockedGreyNoise
Cloudflare.Firewall.SuspiciousEventGreyNoise
If you are still interested in leveraging GreyNoise data, you can do so through a custom Lookup Table. More details on how to set this up can be found in our documentation