All Posts

Improve detection fidelity and alert triage with Lookup Tables in Panther

Panther Labs

TL;DR

Panther now offers a Lookup Tables feature for customers to enrich detections and alerts workflows with custom context. For example, a security engineer can upload a list of known indicators of compromise (IOCs) into a lookup table, and any potential matches are then automatically added to alert events. Another example would be utilizing asset criticality to help security analysts prioritize alerts from critical assets before moving on to others.

Lookup Tables can be created manually (learn how here), and support for automatic synchronization from external sources and 3rd party integrations like IP geolocation are coming soon!

What and Why

The new Panther Lookup Tables feature allows customers to easily create and manage lists that can be used for flagging IOCs, enriching event data and adding context to alerts.

Lookup Tables are a set of records where each record associates a key (e.g., account id) with contextual information (e.g., account owner, account purpose). Keys can be any type including simple strings as well as specific types like IPv4 addresses.

Enriched data allows security teams to better perform threat detection, threat hunting, and incident response. The additional context provided through enrichment allows for quick investigation and action. Enriched data can also help security teams reduce false positives, by leveraging metadata such as the asset name or user name context in detection rules, to avoid alerting on activity from trusted sources.

Some examples of data enrichment using managed lookup tables are:

  • Create lists of trusted indicators like IPs or accounts to avoid alerting on legitimate activity
  • Create lists of known indicators of compromise to alert on illegitimate activity
  • Add context to alerts to enable automated routing actions (e.g., assign alerts for specific systems to specific team members for triage)

Lookup Tables can be created and used in Panther in a few steps:

  • Upload data as CSV or JSONL
  • Associate lookup data to one or more log types
  • Materialize tables in the data lake to allow JOINs

You can learn more about how to set up and use lookup table data here.

Frequently Asked Questions

Q: Can I associate any data with a lookup table key?

A: Yes. Arbitrary JSON structured data can be associated with a key.

Q: Is there a limit to the number of Lookup Tables?

A: Currently there is a maximum limit of 10 lookup tables. Additional tables can be defined by requesting a limit increase with your Panther point of contact.

Q: Is there a limit to the number of records in a single lookup table?

A: There is a limit of 10 million records.

Q: Can I query lookup data in Data Explorer?

A: Yes, all lookup tables are materialized into tables and selectable from the Data Explorer.

Get Started Today

Not using Panther yet?  Request a demo to learn how Panther can help you achieve fast, flexible and scalable threat detection and response.