Enrichment

Overview

With Panther's enrichment capabilities, you can cut through background noise to write higher-fidelity detections and deliver more informative alerts. Create Custom Lookup Tables, or enable a type of Panther-managed Lookup Table: Enrichment Providers or identity provider profiles.

Custom Lookup Tables

Custom Lookup Tables, also referred to as simply "Lookup Tables," let you add custom context to your detections and alerts. Using Lookup Tables saves time by enhancing detections, reducing alert noise, and speeding up investigations.

To learn how to set up Lookup Tables, see Custom Lookup Tables.

Panther-managed Lookup Tables

There are two types of Panther-managed Lookup Tables: Identity Provider Profiles and Enrichment Providers.

Identity Provider Profiles

Panther can retrieve and store user and device data from Okta and Google Workspace once you've configured them as log sources. This information is stored in Panther-managed Lookup Tables, meaning it can be referred to in detection logic and search queries.

Enrichment Providers

Panther comes with four out-of-the-box Enrichment Providers, also known as Panther-managed Lookup Tables: Anomali ThreatStream, GreyNoise, IPinfo, and Tor.

Anomali ThreatStream

Anomali ThreatStream aggregates multiple threat feeds into a single high-fidelity repository by normalizing, deduplicating, removing false positives from, and enriching threat data—then associating all related threat indicators.

The Panther-managed Anomali ThreatStream Lookup Table matches your Anomali indicator data against log events ingested into Panther for high-fidelity alerts.

To learn how to use Anomali ThreatStream enrichment, see Anomali ThreatStream.

GreyNoise

GreyNoise collects data on IP addresses that saturate security tools with noise. This kind of data can help you understand which events can be ignored, which can lead to fewer false positive alerts—letting you focus on real threats.

To learn how to leverage GreyNoise datasets, see GreyNoise.

IPinfo

IPinfo provides contextual information about IP addresses, including geolocation, ASN and privacy data. You can use IPinfo data to identify suspicious or high-risk actors.

To learn how to leverage IPinfo datasets, see IPinfo.

Tor Exit Nodes

Tor is an anonymizing network sometimes used by bad actors to hide their location. The Panther-managed Tor Lookup Table contains IP addresses for the Tor Exit Nodes.

To learn how to use Tor Exit Nodes enrichment, see Tor Exit Nodes.

Enrichment use case examples

Common use cases for Lookup Tables

• Convert IPs to asset/user names, or geolocation details

• Group IPs by type (development vs. production for ex.)

• Append context to AWS Account IDs

Common use cases for GreyNoise

• Modify an alert's severity depending on whether GreyNoise reports that an IP is malicious or benign

• Reduce alert noise and fatigue if an IP is known to belong to a common business service that is most definitely not being used to attack your services

• Enrich Panther alert context with GreyNoise data points

Troubleshooting enrichment

Visit the Panther Knowledge Base to view articles about enrichment that answer frequently asked questions and help you resolve common errors and issues.