Enrich your data in Panther with GreyNoise, IPinfo, and Tor—or create custom Lookup Tables
With Panther's enrichment capabilities, you can cut through background noise to write higher-fidelity detections and deliver more informative alerts. Create custom Lookup Tables in Panther, use out-of-the-box Enrichment Providers like GreyNoise, IPinfo, and Tor, or pull in user or device data with identity provider profiles.
Lookup Tables let you add custom context to your detections and alerts. Using Lookup Tables saves time by enhancing detections, reducing alert noise, and speeding up investigations.
Panther comes with three out-of-the-box Enrichment Providers, also known as Panther-managed Lookup Tables: GreyNoise, IPinfo, and Tor.
GreyNoise collects data on IP addresses that saturate security tools with noise. This kind of data can help you understand which events can be ignored, which can lead to fewer false positive alerts—letting you focus on real threats.
IPinfo provides contextual information about IP addresses, including geolocation, ASN and privacy data. You can use IPinfo data to identify suspicious or high-risk actors.
Tor is an anonymizing network sometimes used by bad actors to hide their location. The Panther-managed Tor Lookup Table contains IP addresses for the Tor Exit Nodes.
- Convert IPs to asset/user names, or geolocation details
- Group IPs by type (development vs. production for ex.)
- Append context to AWS Account IDs
- Modify an alert's severity depending on whether GreyNoise reports that an IP is malicious or benign
- Reduce alert noise and fatigue if an IP is known to belong to a common business service that is most definitely not being used to attack your services
- Enrich Panther alert context with GreyNoise data points
Visit the Panther Knowledge Base to view articles about enrichment that answer frequently asked questions and help you resolve common errors and issues.