Why am I failing to get ASN enrichment on IPINFO_ASN provider in Panther?

Last updated: December 3, 2024

Issue

When using the IPINFO_ASN enrichment provider in Panther, alerts are not being enriched with ASN data. This results in missing data for detections that rely on ASN enrichment, potentially causing false positive alerts.

Resolution

This issue is caused by the use of private IP addresses, which are not publicly routable and cannot be enriched with ASN data. To resolve this:

  • Update your detection logic to check for and exclude private IPs from returning True and generating alerts.

Cause

ASN enrichment is only available for public IPs. Private IPs, typically used for internal communication (e.g., within an AWS VPC), cannot be enriched as they do not have associated ASN data.