p_event_time
is mapped to each data source's corresponding event time and normalized to UTC. This way you can query over multiple data sources joining and ordering by p_event_time
to properly align and correlate the data despite the disparate schemas of each data source.p_
p_log_type
string
p_row_id
string
p_event_time
timestamp
p_parse_time
timestamp
p_source_id
string
p_source_label
string
p_event_time
will be set to p_parse_time
, which is the time the event was parsed.p_source_id
and p_source_label
fields are very useful for knowing where the data originated. For example, you might have multiple CloudTrail sources registered with Panther, each with a unique name (e.g., "Dev Accounts", "Producttion Accounts", "HR Accounts", etc.). These fields allow you to easily separate data based on the source which can be very useful to use in Panther rules as well as business intelligence (BI) reporting.panther_rule_matches
database:p_alert_id
string
p_alert_creation_time
timestamp
p_alert_severity
string
p_alert_update_time
timestamp
p_rule_id
string
p_rule_error
string
p_rule_reports
map[string]array[string]
p_rule_severity
string
p_rule_tags
array[string]
some-indicator
ever observed in our logs?”any
fields below are appended to rows of data as appropriate.all_logs
view is provided over all data sources to make queries easy for users to find activity for an indicator in a single query.p_any
fields.p_enrichment
in the following JSON structure:p_enrichment
array[object]
95.123.145.92
: