Panther has partnered with IPinfo, a trusted source for IP address data, to provide integrated IP related enrichment to Panther customers. The IPinfo data sets are available to all Panther accounts at no additional cost and are disabled by default.

IPinfo datasets are stored as Panther-managed Lookup Tables in bulk, so there is no need to make API calls to leverage this enrichment in your detection logic or alerts. Alert events are automatically enriched with IPinfo data within the p_enrichment field in JSON events.

IPinfo data can be accessed in detections with pre-built Python helpers.

Use Cases

Panther’s IPinfo enrichment integration helps users to:

1. Increase alert fidelity

2. Reduce potential alert storms and false positives

3. Identify suspicious users by cross examining IP geolocation details

4. Preemptively identify and block traffic from high-risk locations or networks

How it Works

All Panther customers are given access to IPinfo data sets at no additional cost. The IPinfo enrichment data is disabled by default, and can be enabled easily in the console following these steps.

1. Alert events are automatically enriched with IPinfo data within the p_enrichment field in JSON events.

2. IPinfo data can be used in detections with pre-built Python helpers (and deep_get) to access enrichment information.

3. IPinfo data is stored as Panther-managed Lookup Tables in bulk, so there is no need to make API calls to leverage this enrichment in your detection logic or alerts.

You can check out our product documentation for more information.