2/10/2025: Greynoise Enrichment Provider Errors

If you are receiving the following error from your GreyNoise Enrichment Provider:

cannot assume role arn:aws:iam::123456789:role/panther-greynoise-full-access-role 
for refresh: operation error STS: AssumeRole, https response error StatusCode: 
403, RequestID: 123dwe56-1abc-12d4-abcd-123abcde038, api error AccessDenied: 
User: arn:aws:sts::123456789:assumed-role/panther-LogAnalysis-1CEAA-LookupTablesApiFunctionR-1W6Y0KPYKK73K/panther-lookup-tables-api 
is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789:role/panther-greynoise-full-access-role

This alert is due to a change we made to fully remove the deprecated GreyNoise Enrichment Provider from our system.

As announced in May 2024, Panther sunsetted native GreyNoise enrichment on June 17, 2024. Since then, this lookup table has not been actively receiving data.

We recommend taking the following steps to prevent errors:

• Delete the GreyNoise Lookup Tables in the Enrichment Provider page.

• Update any custom detections using the GreyNoise tables and disabling and managed detections if they are still present in your console.

  • Panther has deprecated our four Panther-managed detections that reference GreyNoise data. If any of these detections are enabled in your Panther instance, it is strongly recommended to disable them:

    • AWS.S3.GreyNoiseActivity

    • Cloudflare.HttpRequest.BotHighVolumeGreyNoise

    • Cloudflare.Firewall.HighVolumeEventsBlockedGreyNoise

    • Cloudflare.Firewall.SuspiciousEventGreyNoise

If you are still interested in leveraging GreyNoise data, you can do so through a custom Lookup Table. More details on how to set this up can be found in our documentation