Panther now offers a Lookup Tables feature for customers to enrich detections and alerts workflows with custom context. For example, a security engineer can upload a list of known indicators of compromise (IOCs) into a lookup table, and any potential matches are then automatically added to alert events. Another example would be utilizing asset criticality to help security analysts prioritize alerts from critical assets before moving on to others.
Lookup Tables can be created manually (learn how here), and support for automatic synchronization from external sources and 3rd party integrations like IP geolocation are coming soon!
The new Panther Lookup Tables feature allows customers to easily create and manage lists that can be used for flagging IOCs, enriching event data and adding context to alerts.
Lookup Tables are a set of records where each record associates a key (e.g., account id) with contextual information (e.g., account owner, account purpose). Keys can be any type including simple strings as well as specific types like IPv4 addresses.
Enriched data allows security teams to better perform threat detection, threat hunting, and incident response. The additional context provided through enrichment allows for quick investigation and action. Enriched data can also help security teams reduce false positives, by leveraging metadata such as the asset name or user name context in detection rules, to avoid alerting on activity from trusted sources.
Some examples of data enrichment using managed lookup tables are:
Lookup Tables can be created and used in Panther in a few steps:
You can learn more about how to set up and use lookup table data here.
Q: Can I associate any data with a lookup table key?
A: Yes. Arbitrary JSON structured data can be associated with a key.
Q: Is there a limit to the number of Lookup Tables?
A: Currently there is a maximum limit of 10 lookup tables. Additional tables can be defined by requesting a limit increase with your Panther point of contact.
Q: Is there a limit to the number of records in a single lookup table?
A: There is a limit of 10 million records.
Q: Can I query lookup data in Data Explorer?
A: Yes, all lookup tables are materialized into tables and selectable from the Data Explorer.
Not using Panther yet? Request a demo to learn how Panther can help you achieve fast, flexible and scalable threat detection and response.
