# Custom Enrichment Specification Reference

## Overview

The following fields can be used in your custom enrichment YAML configuration file.

## Enrichment field reference

The following is a complete list of custom enrichment specification fields. Field names in bold are required. An asterisk (`*`) indicates that two fields are mutually exclusive.

<table><thead><tr><th>Field Name</th><th width="298">Description</th><th>Expected value</th></tr></thead><tbody><tr><td><strong><code>AnalysisType</code></strong></td><td>Indicates that this is an enrichment (also known as a Lookup Table)</td><td><code>lookup_table</code></td></tr><tr><td><strong><code>Enabled</code></strong></td><td>Whether this table is enabled</td><td>Boolean</td></tr><tr><td><strong><code>LookupName</code></strong></td><td>The unique identifier of the table</td><td>String</td></tr><tr><td><strong><code>Schema</code></strong></td><td>The ID of the schema to use for parsing input data</td><td>String</td></tr><tr><td><strong><code>LogTypeMap</code></strong></td><td>A mapping of log schema fields to match against this table</td><td>Object, see <a href="#logtypemap-specification"><code>LogTypeMap</code> specification</a> below</td></tr><tr><td><strong><code>Filename*</code></strong></td><td>The relative path to the data file. <strong>Cannot be used with <code>Refresh</code></strong></td><td>String</td></tr><tr><td><strong><code>Refresh*</code></strong></td><td>The configuration of the S3 bucket or Google Cloud Storage (GCS) bucket sync functionality. <strong>Cannot be used with <code>Filename</code></strong></td><td>Object, see <a href="#refresh-specification"><code>Refresh</code> specification</a> below</td></tr><tr><td><strong><code>Query</code></strong></td><td>An SQL query to retrieve enrichment data from the datalake. <strong>Cannot be used with <code>Filename</code></strong></td><td>String</td></tr><tr><td><strong><code>Indicators</code></strong></td><td>List of indicator field mappings for the schema (used with <code>Query</code>)</td><td>Array, see <a href="https://github.com/panther-labs/panther-docs/blob/docs/gitbook/enrichment/custom/lookup-table-specification-reference.md#indicators-specification"><code>Indicators</code> specification</a> below</td></tr><tr><td><strong><code>Validations</code></strong></td><td>List of validation rules for the schema (used with <code>Query</code>)</td><td>Array, see <a href="https://github.com/panther-labs/panther-docs/blob/docs/gitbook/enrichment/custom/lookup-table-specification-reference.md#validations-specification"><code>Validations</code> specification</a> below</td></tr><tr><td><code>Description</code></td><td>A brief description of the table</td><td>String</td></tr><tr><td><code>Reference</code></td><td>An optional reference link</td><td>String</td></tr></tbody></table>

### `LogTypeMap` specification

`LogTypeMap` should be an object with the following fields:

<table><thead><tr><th>Field Name</th><th width="271">Description</th><th>Expected value</th></tr></thead><tbody><tr><td><strong><code>PrimaryKey</code></strong></td><td>Defines which column of the table to use for matching against events</td><td>String, number, or array (of strings or numbers)<br>See <a href="/pages/tFgsEB9K2WdlOrmVxhWp#primary-key-data-types">Primary key data types</a></td></tr><tr><td><strong><code>AssociatedLogTypes</code></strong></td><td>A list of log types and the fields of each to use as Selectors.</td><td>List, see below. If you are using <a href="/pages/tFgsEB9K2WdlOrmVxhWp#option-2-let-log-types-and-selectors-be-automatically-mapped-by-indicator-fields">automatic log type/Selector designation</a>, this can be an empty list.</td></tr></tbody></table>

Each item of `AssociatedLogTypes` must be an object with the following fields:

<table><thead><tr><th width="201">Field Name</th><th width="317">Description</th><th>Expected value</th></tr></thead><tbody><tr><td><strong><code>LogType</code></strong></td><td>The ID of the Log Schema</td><td>String</td></tr><tr><td><strong><code>Selectors</code></strong></td><td>A list of fields from the Log Type to be matched against the Primary Key</td><td>List of strings</td></tr></tbody></table>

### `Refresh` specification <a href="#refresh-specification" id="refresh-specification"></a>

`Refresh` defines the configuration when importing data from an [S3 bucket](/enrichment/custom.md#option-2-sync-lookup-table-data-from-an-s3-bucket) or a [GCS bucket](/enrichment/custom.md#option-3-sync-lookup-table-data-from-a-google-cloud-storage-gcs-bucket). It must be an object with the following fields:

<table><thead><tr><th width="214">Field Name</th><th width="303">Description</th><th>Expected value</th></tr></thead><tbody><tr><td><strong><code>ObjectPath</code></strong></td><td>A URI pointing to the file within the S3 or GCS bucket.</td><td>String</td></tr><tr><td><strong><code>PeriodMinutes</code></strong></td><td>The number of minutes to wait between syncing with the S3 object</td><td><code>15</code>,<code>30</code>,<code>60</code>,<code>180</code> (3 hours),<code>720</code> (12 hours), or <code>1440</code> (24 hours)</td></tr><tr><td><strong><code>RoleARN</code></strong></td><td>(Required only for <a href="/pages/tFgsEB9K2WdlOrmVxhWp#option-2-sync-lookup-table-data-from-an-s3-bucket">S3 bucket sync</a>) The AWS ARN corresponding the role Panther can assume to access the S3 object.</td><td>String</td></tr><tr><td><strong><code>GCSCredentials</code></strong></td><td>(Required only for <a href="/pages/tFgsEB9K2WdlOrmVxhWp#option-3-sync-lookup-table-data-from-a-google-cloud-storage-gcs-bucket">GCS bucket sync</a>) The Workload Identity Federation JSON credential configuration file.</td><td>String (containing a JSON object)</td></tr><tr><td><code>StorageProvider</code></td><td>The cloud service where <code>ObjectPath</code> is located.</td><td><code>S3</code> or <code>GCS</code> (defaults to <code>S3</code> if undefined)</td></tr></tbody></table>

### `Indicators` specification <a href="#user-content-indicators-specification" id="user-content-indicators-specification"></a>

`Indicators` defines field indicator mappings when using `Query`. Each item in the array must be an object with the following fields:

<table><thead><tr><th width="214">Field Name</th><th width="303">Description</th><th>Expected value</th></tr></thead><tbody><tr><td><strong><code>Field</code></strong></td><td>The name of the field in the query result</td><td>String</td></tr><tr><td><strong><code>Indicators</code></strong></td><td>A list of indicator types for this field</td><td>Array of strings (e.g., <code>["username", "email"]</code>)</td></tr></tbody></table>

### `Validations` specification <a href="#user-content-validations-specification" id="user-content-validations-specification"></a>

`Validations` defines field validation rules when using `Query`. Each item in the array must be an object with the following fields:

<table><thead><tr><th width="214">Field Name</th><th width="303">Description</th><th>Expected value</th></tr></thead><tbody><tr><td><strong><code>Field</code></strong></td><td>The name of the field in the query result</td><td>String</td></tr><tr><td><code>Validations</code></td><td>A list of validation rules for this field</td><td>Array of validation objects</td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.panther.com/enrichment/custom/lookup-table-specification-reference.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.