Enrichment
Enrich your data in Panther with GreyNoise, IPinfo, Tor and Anomali Threatstream—or create custom Lookup Tables
Last updated
Was this helpful?
Enrich your data in Panther with GreyNoise, IPinfo, Tor and Anomali Threatstream—or create custom Lookup Tables
Last updated
Was this helpful?
With Panther's enrichment capabilities, you can cut through background noise to write higher-fidelity detections and deliver more informative alerts. Create , or enable a type of Panther-managed Lookup Table: or .
Custom Lookup Tables, also referred to as simply "Lookup Tables," let you add custom context to your detections and alerts. Using Lookup Tables saves time by enhancing detections, reducing alert noise, and speeding up investigations.
To learn how to set up Lookup Tables, see .
There are two types of Panther-managed Lookup Tables: Identity Provider Profiles and Enrichment Providers.
Panther can retrieve and store user and device data from and once you've configured them as log sources. This information is stored in Panther-managed Lookup Tables, meaning it can be referred to in detection logic and search queries.
Panther comes with four out-of-the-box Enrichment Providers, also known as Panther-managed Lookup Tables: Anomali ThreatStream, GreyNoise, IPinfo, and Tor.
Anomali ThreatStream aggregates multiple threat feeds into a single high-fidelity repository by normalizing, deduplicating, removing false positives from, and enriching threat data—then associating all related threat indicators.
The Panther-managed Anomali ThreatStream Lookup Table matches your Anomali indicator data against log events ingested into Panther for high-fidelity alerts.
GreyNoise collects data on IP addresses that saturate security tools with noise. This kind of data can help you understand which events can be ignored, which can lead to fewer false positive alerts—letting you focus on real threats.
IPinfo provides contextual information about IP addresses, including geolocation, ASN and privacy data. You can use IPinfo data to identify suspicious or high-risk actors.
Tor is an anonymizing network sometimes used by bad actors to hide their location. The Panther-managed Tor Lookup Table contains IP addresses for the Tor Exit Nodes.
Convert IPs to asset/user names, or geolocation details
Group IPs by type (development vs. production for ex.)
Append context to AWS Account IDs
Modify an alert's severity depending on whether GreyNoise reports that an IP is malicious or benign
Reduce alert noise and fatigue if an IP is known to belong to a common business service that is most definitely not being used to attack your services
Enrich Panther alert context with GreyNoise data points
To learn how to use Anomali ThreatStream enrichment, see .
To learn how to leverage GreyNoise datasets, see .
To learn how to leverage IPinfo datasets, see .
To learn how to use Tor Exit Nodes enrichment, see .
Visit the Panther Knowledge Base to that answer frequently asked questions and help you resolve common errors and issues.