Last updated
Was this helpful?
Last updated
Was this helpful?
Enrichment means, effectively, taking a particular field in an incoming log, and expanding it with additional information. This can be especially useful when organizational data, such as employee records or cloud infrastructure account data, needs to be referenced in your detections or passed on to an alert.
In Panther, you can store this additional enrichment data in , or enable a type of Panther-managed Lookup Table: or . Using these enrichment capabilities in Panther, you can cut through background noise to write higher-fidelity detections and deliver more informative alerts.
Once an enrichment source is set up, you can and .
Custom Lookup Tables, also referred to as simply "Lookup Tables," let you add custom context to your detections and alerts. Using Lookup Tables saves time by enhancing detections, reducing alert noise, and speeding up investigations.
Lookup tables may be useful to:
Convert IPs to asset/user names, or geolocation details
Group IPs by type (development vs. production for ex.)
Append context to AWS Account IDs
To learn how to set up Lookup Tables, see .
There are two types of Panther-managed Lookup Tables: Identity Provider Profiles and Enrichment Providers.
Panther comes with the following Enrichment Providers, also known as Panther-managed Lookup Tables: Anomali ThreatStream, IPinfo, Tor, and TrailDiscover.
Anomali ThreatStream aggregates multiple threat feeds into a single high-fidelity repository by normalizing, deduplicating, removing false positives from, and enriching threat data—then associating all related threat indicators.
The Panther-managed Anomali ThreatStream Lookup Table matches your Anomali indicator data against log events ingested into Panther for high-fidelity alerts.
IPinfo provides contextual information about IP addresses, including geolocation, ASN and privacy data. You can use IPinfo data to identify suspicious or high-risk actors.
Tor is an anonymizing network sometimes used by bad actors to hide their location. The Panther-managed Tor Lookup Table contains IP addresses for the Tor Exit Nodes.
TrailDiscover is a continuously evolving repository of CloudTrail events containing detailed descriptions, MITRE ATT&CK insights, real-world incident references, research links, and information about security implications.
In left-side navigation bar in your Panther Console, click Configure > Lookup Tables.
You will be redirected to Data Explorer, and a SELECT
query will be pre-populated.
Below the SQL editor, click Run Search.
You can view table data in the Results section, below the SQL editor.
Panther can retrieve and store user and device data from and once you've configured them as log sources. This information is stored in Panther-managed Lookup Tables, meaning it can be referred to in detection logic and search queries.
See example use cases on .
To learn how to use Anomali ThreatStream enrichment, see .
To learn how to leverage IPinfo datasets, see .
To learn how to use Tor Exit Nodes enrichment, see .
To learn how to enrich with TrailDiscover, see .
You can use to view data stored in Custom Lookup Tables, Identity Provider Profiles, and Enrichment Providers.
To view stored data:
In the upper-right corner of the tile of the Lookup Table you'd like to view, click the three dots icon (...), then View In Data Explorer.
To view stored and Panther-managed data:
You can also view the enrichment data associated with a particular event value using Search—.
Log events are enriched before being run through associated detections, but they are not enriched when stored in the data lake. This means log data queried from the data lake will not contain . (Detection matches queried from the Rule Matches database, however, do contain enrichment data.)
It may be useful to know how an enriched log event will look when it's processed by your detection(s). For an exact recreation, you can . For an approximate recreation, you can .
For a perfect recreation of how an enriched log event will look as it's processed by your detection(s), , add the event, and . (It's not necessary to then save the unit test.)
In , you can perform a join between the log and enrichment data with a query like the following:
Visit the Panther Knowledge Base to that answer frequently asked questions and help you resolve common errors and issues.
Enrich your data in Panther with IPinfo, Tor, Anomali Threatstream, and TrailDiscover—or create custom Lookup Tables