Enrichment

Enrich your data in Panther with GreyNoise, IPinfo, Tor and Anomali Threatstream—or create custom Lookup Tables

Overview

With Panther's enrichment capabilities, you can cut through background noise to write higher-fidelity detections and deliver more informative alerts. Create Custom Lookup Tables, or enable a type of Panther-managed Lookup Table: Enrichment Providers or identity provider profiles.

Once an enrichment source is set up, you can view stored data and enriched log events.

Custom Lookup Tables

Custom Lookup Tables, also referred to as simply "Lookup Tables," let you add custom context to your detections and alerts. Using Lookup Tables saves time by enhancing detections, reducing alert noise, and speeding up investigations.

Lookup tables may be useful to:

  • Convert IPs to asset/user names, or geolocation details

  • Group IPs by type (development vs. production for ex.)

  • Append context to AWS Account IDs

To learn how to set up Lookup Tables, see Custom Lookup Tables.

Panther-managed Lookup Tables

There are two types of Panther-managed Lookup Tables: Identity Provider Profiles and Enrichment Providers.

Identity Provider Profiles

Panther can retrieve and store user and device data from Okta and Google Workspace once you've configured them as log sources. This information is stored in Panther-managed Lookup Tables, meaning it can be referred to in detection logic and search queries.

See example use cases on Identity Provider Profiles.

Enrichment Providers

Panther comes with four out-of-the-box Enrichment Providers, also known as Panther-managed Lookup Tables: Anomali ThreatStream, GreyNoise, IPinfo, and Tor.

Anomali ThreatStream

Anomali ThreatStream aggregates multiple threat feeds into a single high-fidelity repository by normalizing, deduplicating, removing false positives from, and enriching threat data—then associating all related threat indicators.

The Panther-managed Anomali ThreatStream Lookup Table matches your Anomali indicator data against log events ingested into Panther for high-fidelity alerts.

To learn how to use Anomali ThreatStream enrichment, see Anomali ThreatStream.

GreyNoise

GreyNoise collects data on IP addresses that saturate security tools with noise. This kind of data can help you understand which events can be ignored, which can lead to fewer false positive alerts—letting you focus on real threats.

GreyNoise enrichment may be useful to:

  • Modify an alert's severity depending on whether GreyNoise reports that an IP is malicious or benign

  • Reduce alert noise and fatigue if an IP is known to belong to a common business service that is most definitely not being used to attack your services

  • Enrich Panther alert context with GreyNoise data points

To learn how to leverage GreyNoise datasets, see GreyNoise.

IPinfo

IPinfo provides contextual information about IP addresses, including geolocation, ASN and privacy data. You can use IPinfo data to identify suspicious or high-risk actors.

To learn how to leverage IPinfo datasets, see IPinfo.

Tor Exit Nodes

Tor is an anonymizing network sometimes used by bad actors to hide their location. The Panther-managed Tor Lookup Table contains IP addresses for the Tor Exit Nodes.

To learn how to use Tor Exit Nodes enrichment, see Tor Exit Nodes.

Viewing stored enrichment data

You can use Data Explorer to view data stored in Custom Lookup Tables, Identity Provider Profiles, and Enrichment Providers.

To view stored Custom Lookup Table data:

  1. In left-side navigation bar in your Panther Console, click Configure > Lookup Tables.

    • You will be redirected to Data Explorer, and a SELECT query will be pre-populated.

  2. Below the SQL editor, click Run Search.

    • You can view table data in the Results section, below the SQL editor.

You can also view the enrichment data associated with a particular event value using Search—learn how to do so here.

Viewing log events with enrichment data

Log events are enriched before being run through associated detections, but they are not enriched when stored in the data lake. This means log data queried from the data lake will not contain p_enrichment. (Detection matches, however, do contain enrichment data.)

It may be useful to know how an enriched log event will look when it's processed by your detection(s). For an exact recreation, you can enrich a log event as a unit test. For an approximate recreation, you can perform a join in Data Explorer.

Enriching a log event as a unit test

For a perfect recreation of how an enriched log event will look as it's processed by your detection(s), create a unit test, add the event, and enrich the test data. (It's not necessary to then save the unit test.)

Joining log and enrichment data

In Data Explorer, you can perform a join between the log and enrichment data with a query like the following:

with logs as 
(select * from panther_logs.public.my_logs),
lookup as (select * from panther_lookups.public.my_lookup_table) 
select logs.fieldA, lookup.fieldB 
from logs join lookup on logs.selector_field = lookup.key_field

Troubleshooting enrichment

Visit the Panther Knowledge Base to view articles about enrichment that answer frequently asked questions and help you resolve common errors and issues.

Last updated