The GreyNoise Basic enrichment is enabled in the Panther Console. When trying to edit and test a custom detection rule that contains GreyNoise enrichment in the Functions & Tests tab of the rule, null values are returned in the Alert Context and the test fails. This is depicted in the following screenshot:
To test the GreyNoise functionality on a rule, make sure to provide the p_enrichment section in the test data below the rule definition in the Panther Console.
Afterwards, click Run Test to run the test and verify that it is working as expected.
An example of the p_enrichment section that corresponds to GreyNoise Basic and can be used in the test data of the rule is seen below:
"p_enrichment": {
"greynoise_noise_basic": {
"sourceIPAddress": {
"actor": "unknown",
"bot": false,
"classification": "malicious",
"cve": [],
"first_seen": "2022-03-19",
"ip": "142.93.204.250",
"last_seen": "2022-04-06",
"metadata": {
"asn": "AS14061",
"category": "hosting",
"city": "North Bergen",
"country": "United States",
"country_code": "US",
"organization": "DigitalOcean, LLC",
"os": "Linux 2.2-3.x",
"rdns": "",
"region": "New Jersey",
"tor": false
},
"raw_data": {
"hassh": [],
"ja3": [],
"scan": [
{
"port": 23,
"protocol": "TCP"
}
],
"web": {}
},
"seen": true,
"spoofable": false,
"tags": [
"Mirai",
"ZMap Client"
],
"vpn": false,
"vpn_service": "N/A"
}
}
}
After having added a similar section to the above and ensured that everything is correct with the rule, the test will be successful. An example is shown below:
When working on actual data, the rule is expected to run successfully, since the GreyNoise Basic enrichment will be applied on the fly and classify the IPs as malicious or not. However, when testing a rule that contains GreyNoise Basic enrichment, the test data have to contain the p_enrichment part, to simulate the way GreyNoise would work on actual data.
For more information on troubleshooting null or empty enrichment in Panther, please see 📄 Troubleshooting null and empty enrichment/Lookup Tables in Panther.