# Enrichment ## Overview With Panther's enrichment capabilities, you can cut through background noise to write higher-fidelity detections and deliver more informative alerts. Create custom [Lookup Tables](#lookup-tables) in Panther, use out-of-the-box [Enrichment Providers](#enrichment-providers) like GreyNoise, IPinfo, and Tor, or pull in user or device data with [identity provider profiles](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/enrichment/profiles). ## How to use enrichment features in Panther ### Lookup Tables Lookup Tables let you add custom context to your detections and alerts. Using Lookup Tables saves time by enhancing detections, reducing alert noise, and speeding up investigations. To learn how to set up Lookup Tables, see [Lookup Tables](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/enrichment/lookup-tables). ### Enrichment Providers Panther comes with three out-of-the-box Enrichment Providers, also known as Panther-managed Lookup Tables: GreyNoise, IPinfo, and Tor. #### GreyNoise GreyNoise collects data on IP addresses that saturate security tools with noise. This kind of data can help you understand which events can be ignored, which can lead to fewer false positive alerts—letting you focus on real threats. To learn how to leverage GreyNoise datasets, see [GreyNoise](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/enrichment/greynoise). #### IPinfo IPinfo provides contextual information about IP addresses, including geolocation, ASN and privacy data. You can use IPinfo data to identify suspicious or high-risk actors. To learn how to leverage IPinfo datasets, see [IPinfo](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/enrichment/ipinfo). #### Tor Exit Nodes Tor is an anonymizing network sometimes used by bad actors to hide their location. The Panther-managed Tor Lookup Table contains IP addresses for the Tor Exit Nodes. To learn how to use Tor Exit Nodes enrichment, see [Tor Exit Nodes](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/enrichment/tor-exit-nodes). ## Enrichment use case examples ### Common use cases for Lookup Tables * Convert IPs to asset/user names, or geolocation details * Group IPs by type (development vs. production for ex.) * Append context to AWS Account IDs ### Common use cases for GreyNoise * Modify an alert's severity depending on whether GreyNoise reports that an IP is malicious or benign * Reduce alert noise and fatigue if an IP is known to belong to a common business service that is most definitely not being used to attack your services * Enrich Panther alert context with GreyNoise data points ## Troubleshooting enrichment Visit the Panther Knowledge Base to [view articles about enrichment](https://help.panther.com/Enrichment) that answer frequently asked questions and help you resolve common errors and issues.