# Enrichment
## Overview
Enrichment means, effectively, taking a particular field in an incoming log, and expanding it with additional information. This can be especially useful when organizational data (like employee records or cloud infrastructure account data) needs to be referenced in your detections or passed on to an alert.
In Panther, you can store this additional enrichment data in a [custom enrichment table](#custom-enrichments), or enable a Panther-managed enrichment. Using these enrichment capabilities in Panther, you can cut through background noise to write higher-fidelity detections and deliver more informative alerts.
Once an enrichment source is set up, you can [view stored data](#viewing-stored-enrichment-data) and [enriched log events](#viewing-log-events-with-enrichment-data).
Enrichment sources or tables are interchangeably referred to as "lookup tables."
## Custom enrichments
Custom enrichments let you add custom context to your detections and alerts. Using enrichments saves time by enhancing detections, reducing alert noise, and speeding up investigations.
Custom enrichments may be useful to:
* Convert IPs to asset/user names, or geolocation details
* Group IPs by type (e.g., development vs. production)
* Append context to AWS Account IDs
To learn how to set up custom enrichments, see [Custom Enrichments](/enrichment/custom.md).
## Panther-managed enrichments
### Anomali ThreatStream
Anomali ThreatStream aggregates multiple threat feeds into a single high-fidelity repository by normalizing, deduplicating, removing false positives from, and enriching threat data—then associating all related threat indicators.
The Panther-managed Anomali ThreatStream enrichment matches your Anomali indicator data against log events ingested into Panther for high-fidelity alerts.
Anomali ThreatStream is a ["bring your own API key" log puller](#bring-your-own-api-key-log-pullers). To learn how to use Anomali ThreatStream enrichment, see [Anomali ThreatStream](/enrichment/anomali-threatstream.md).
### Google Threat Intelligence (Beta)
[Google Threat Intelligence](https://www.virustotal.com/) provides comprehensive threat intelligence data. Panther integrates with Google Threat Intelligence through the [IoC Stream API](https://gtidocs.virustotal.com/docs/ioc-stream-guide), which delivers a near real-time feed of Indicators of Compromise (IoCs) from the Google Threat Intelligence collections you follow. The Panther-managed Google Threat Intelligence enrichment matches these IoCs against log events ingested into Panther for high-fidelity alerts.
Google Threat Intelligence is a ["bring your own API key" log puller](#bring-your-own-api-key-log-pullers). To learn how to use it, see [Google Threat Intelligence](/enrichment/google-threat-intelligence.md).
### Google Workspace user profiles
Panther can retrieve and store user data from [Google Workspace](/enrichment/google-workspace.md) once you've configured it as a log source. This data can then be referred to in detection logic and search queries.
Learn how to configure your Google Workspace log source for enrichment on [Google Workspace Profiles](/enrichment/google-workspace.md).
### GreyNoise
[GreyNoise](https://www.greynoise.io/) provides real-time intelligence about internet-wide scan and attack activity. GreyNoise helps security teams filter out background noise by identifying and labeling IPs conducting mass scanning, enabling faster, more accurate threat detection.
To learn how to enrich your logs with GreyNoise threat intelligence data, see [GreyNoise](/enrichment/greynoise.md).
### IPinfo
IPinfo provides contextual information about IP addresses, including geolocation, ASN and privacy data. You can use IPinfo data to identify suspicious or high-risk actors.
To learn how to leverage IPinfo datasets, see [IPinfo](/enrichment/ipinfo.md).
### **Open Threat Exchange (OTX)**
Open Threat Exchange (OTX) is AlienVault's community-driven threat intelligence platform, where contributors collaborate to identify emerging threats. OTX enrichment in Panther matches OTX pulse data against log events ingested into Panther to generate higher-fidelity alerts.
OTX is a ["bring your own API key" log puller](#bring-your-own-api-key-log-pullers). To learn how to use OTX enrichment, see [Open Threat Exchange (OTX)](/enrichment/otx.md).
### MISP
MISP warning lists are collections of well-known indicators that can be associated to potential false positives or errors. This context may be useful to help you evaluate whether a certain threat indicator is legitimate.
To learn how to enable MISP warning list enrichment, see [MISP Warning Lists](/enrichment/misp.md).
### Okta user and device profiles
Panther can retrieve and store user and device data from [Okta](/enrichment/okta.md) once you've configured it as a log source. This data can then be referred to in detection logic and search queries.
Learn how to configure your Okta log source for enrichment on [Okta Profiles](/enrichment/okta.md).
### Snowflake
Enrich logs with data from your Snowflake instance, like user and role information.
To learn how to set up Snowflake enrichment, see [Snowflake Enrichment](/enrichment/snowflake.md).
### Tor Exit Nodes
Tor is an anonymizing network sometimes used by bad actors to hide their location. The Panther-managed Tor enrichment contains IP addresses for the Tor Exit Nodes.
To learn how to use Tor Exit Nodes enrichment, see [Tor Exit Nodes](/enrichment/tor-exit-nodes.md).
### TrailDiscover
TrailDiscover is a continuously evolving repository of CloudTrail events containing detailed descriptions, MITRE ATT\&CK insights, real-world incident references, research links, and information about security implications.
To learn how to enrich with TrailDiscover, see [TrailDiscover](/enrichment/traildiscover.md).
## Panther-managed enrichment methods
### "Bring your own API key" log pullers
This enrichment source requires you to create an API key in the enrichment source, then input it into Panther:
* [Anomali ThreatStream](/enrichment/anomali-threatstream.md)
* [Google Threat Intelligence](/enrichment/google-threat-intelligence.md)
* [GreyNoise](/enrichment/greynoise.md)
* [Open Threat Exchange (OTX)](/enrichment/otx.md)
### Panther log source pullers
These enrichment sources pull enrichment data from a [log source](/data-onboarding/supported-logs.md) you've set up in Panther.
* [Google Workspace Profiles](/enrichment/google-workspace.md)
* [Okta Profiles](/enrichment/okta.md)
* [Snowflake](/enrichment/snowflake.md)
### Additional enrichment sources
These enrichment sources can be enabled using Detection Packs or the [Panther Analysis Tool](/panther-developer-workflows/detections-repo/pat/managing-enrichment.md):
* [IPinfo](/enrichment/ipinfo.md)
* [MISP Warning Lists](/enrichment/misp.md)
* [Tor Exit Nodes](/enrichment/tor-exit-nodes.md)
* [TrailDiscover](/enrichment/traildiscover.md)
## Viewing and managing enrichments
Use the enrichment details page to view, validate, and manage your enrichment data.
Each enrichment source displays a descriptive type label indicating its data source method:
* **SQL → Lookup Table**: SQL-based scheduled queries
* **S3 → Lookup Table**: S3 bucket synchronization
* **GCS → Lookup Table**: Google Cloud Storage synchronization
* **Anomali**: Anomali ThreatStream integration
* **Open Threat Exchange**: OTX integration
* **GreyNoise**: GreyNoise threat intelligence
* **Google Threat Intelligence**: Google threat data
To access the enrichment details page:
1. In the left-side navigation bar in your Panther Console, click **Configure** > **Enrichments**.
2. Click the name of the enrichment you'd like to view the details of.
* You'll be taken to the enrichment details page, where you can navigate between the available tabs:
* **Lookup Table**: View and manage the enrichment data
* **Enriched Log Types**: Configure which log types use this enrichment
* **Schema & SQL**: View the schema and SQL query (for scheduled SQL-based lookups)
* **Schema**: View the data schema (for non-scheduled lookups)
### Filtering enrichment sources
The Enrichments page includes a filters panel that allows you to narrow down the list of enrichment sources based on various criteria:
* **Health**: Filter by enrichment source health status (Healthy or Unhealthy)
* Unhealthy enrichment sources display a health badge and error details on their details page
* **Status**: Filter by whether enrichment sources are Enabled or Disabled
* **Import Method**: Filter by the method used to import the enrichment data (e.g., Manual Upload, Scheduled Query, S3 Sync)
* **Enriched Log Types**: Filter by the specific log types that are enriched by the sources
* **Last Updated**: Filter by when the enrichment source was last updated
* **Created**: Filter by when the enrichment source was created
To use the filters:
1. In the left-side navigation bar in your Panther Console, click **Configure** > **Enrichments**.
2. Use the **Filters** panel on the left side of the page to select your desired filtering criteria.
3. The enrichment sources table will automatically update to show only the sources matching your selected filters.
{% hint style="info" %}
A "Lookup Table Not Available" message will be shown for [IPInfo](/enrichment/ipinfo.md) CIDR datasets (which aren't stored in the data lake).
{% endhint %}
## Viewing log events with enrichment data
Log events are enriched before being run through associated detections, but they are not enriched when stored in the data lake. This means log data queried from the data lake will not contain [`p_enrichment`](/search/panther-fields.md#enrichmentfields). ([Signals](/detections/signals.md) queried from `panther_signals.public.correlation_signals`, however, do contain enrichment data.)
It may be useful to know how an enriched log event will look when it's processed by your detection(s). For an exact recreation, you can [enrich a log event as a unit test](#enriching-a-log-event-as-a-unit-test). For an approximate recreation, you can [perform a join in Data Explorer](#joining-log-and-enrichment-data).
You can also view the enrichment data associated with a particular event value using Search—[learn how to do so here](/search/search-tool.md#how-to-explore-enrichment-data-for-a-value-from-results).
### Enriching a log event as a unit test
For a perfect recreation of how an enriched log event will look as it's processed by your detection(s), [create a unit test](/detections/testing.md#how-to-create-a-test), add the event, and [enrich the test data](/detections/testing.md#enrich-test-data). (It's not necessary to then save the unit test.)
### Joining log and enrichment data
In [Data Explorer](/search/data-explorer.md), you can perform a join between the log and enrichment data with a query like the following:
```sql
with logs as
(select * from panther_logs.public.my_logs),
lookup as (select * from panther_lookups.public.my_lookup_table)
select logs.fieldA, lookup.fieldB
from logs join lookup on logs.selector_field = lookup.key_field
```
## Troubleshooting enrichment
Visit the Panther Knowledge Base to [view articles about enrichment](https://help.panther.com/Enrichment) that answer frequently asked questions and help you resolve common errors and issues.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.panther.com/enrichment.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.