Overview

Lookup Tables are stores of security-relevant information that can be used to enrich incoming events. When Panther ingests logs it checks your lookup tables for a match on an indicator, such as an IP address or email. If a match is found the related context is added to the event where it can be referenced in detections, passed along as additional alert context, and ultimately stored in the data lake for future investigation.

Example Use Cases

• Delivering context on known malicious or benign IP addresses

• Correlating identity information such as department or assigned devices with Identity Provider Profiles

• Translating machine values such as a UUID into human-readable names

• Customizing detections with known organizational IP addresses

Panther-Managed Lookup Tables

Panther provides several managed lookup tables out of the box:

• Identity Provider Profiles: After configuration with Okta or Google Workspace, Panther can maintain a lookup table of employee attributes and organizational devices for use in detections.

• Tor Exit Nodes: Provides tools for determining if IP addresses in your log data are Tor exit nodes with additional alert context features to link to the Tor project exit node database.

• TrailDiscover: Extends the description of CloudTrail events to include related MITRE ATT&CK techniques, incident references, and additional research links.

Custom Lookup Tables

Lookup tables can be directly uploaded to the console or synced to an S3 source using CSV or JSONL files. Lookup tables synced via S3 are checked for updates on a cadence. This enables any automation that can write to an S3 bucket to become a new enrichment provider within Panther.

Learn more about configuring custom lookup tables.