Enrich your data in Panther with GreyNoise, IPinfo, and Tor—or create custom Lookup Tables


With Panther's enrichment capabilities, you can cut through background noise to write higher-fidelity detections and deliver more informative alerts. Create custom Lookup Tables in Panther, use out-of-the-box Enrichment Providers like GreyNoise, IPinfo, and Tor, or pull in user or device data with identity provider profiles.

How to use enrichment features in Panther

Lookup Tables

Lookup Tables let you add custom context to your detections and alerts. Using Lookup Tables saves time by enhancing detections, reducing alert noise, and speeding up investigations.
To learn how to set up Lookup Tables, see Lookup Tables.

Enrichment Providers

Panther comes with three out-of-the-box Enrichment Providers, also known as Panther-managed Lookup Tables: GreyNoise, IPinfo, and Tor.


GreyNoise collects data on IP addresses that saturate security tools with noise. This kind of data can help you understand which events can be ignored, which can lead to fewer false positive alerts—letting you focus on real threats.
To learn how to leverage GreyNoise datasets, see GreyNoise.


IPinfo provides contextual information about IP addresses, including geolocation, ASN and privacy data. You can use IPinfo data to identify suspicious or high-risk actors.
To learn how to leverage IPinfo datasets, see IPinfo.

Tor Exit Nodes

Tor is an anonymizing network sometimes used by bad actors to hide their location. The Panther-managed Tor Lookup Table contains IP addresses for the Tor Exit Nodes.
To learn how to use Tor Exit Nodes enrichment, see Tor Exit Nodes.

Enrichment use case examples

Common use cases for Lookup Tables

  • Convert IPs to asset/user names, or geolocation details
  • Group IPs by type (development vs. production for ex.)
  • Append context to AWS Account IDs

Common use cases for GreyNoise

  • Modify an alert's severity depending on whether GreyNoise reports that an IP is malicious or benign
  • Reduce alert noise and fatigue if an IP is known to belong to a common business service that is most definitely not being used to attack your services
  • Enrich Panther alert context with GreyNoise data points

Troubleshooting enrichment

Visit the Panther Knowledge Base to view articles about enrichment that answer frequently asked questions and help you resolve common errors and issues.
Last modified 1mo ago