Custom Enrichment Specification Reference
Overview
The following fields can be used in your custom enrichment YAML configuration file.
Enrichment field reference
The following is a complete list of custom enrichment specification fields. Field names in bold are required. An asterisk (*) indicates that two fields are mutually exclusive.
AnalysisType
Indicates that this is an enrichment (also known as a Lookup Table)
lookup_table
Enabled
Whether this table is enabled
Boolean
LookupName
The unique identifier of the table
String
Schema
The ID of the schema to use for parsing input data
String
LogTypeMap
A mapping of log schema fields to match against this table
Object, see LogTypeMap specification below
Filename*
The relative path to the data file. Cannot be used with Refresh
String
Refresh*
The configuration of the S3 bucket or Google Cloud Storage (GCS) bucket sync functionality. Cannot be used with Filename
Object, see Refresh specification below
Query
An SQL query to retrieve enrichment data from the datalake. Cannot be used with Filename
String
Indicators
List of indicator field mappings for the schema (used with Query)
Array, see Indicators specification below
Validations
List of validation rules for the schema (used with Query)
Array, see Validations specification below
Description
A brief description of the table
String
Reference
An optional reference link
String
LogTypeMap specification
LogTypeMap specificationLogTypeMap should be an object with the following fields:
PrimaryKey
Defines which column of the table to use for matching against events
String, number, or array (of strings or numbers) See Primary key data types
AssociatedLogTypes
A list of log types and the fields of each to use as Selectors.
List, see below. If you are using automatic log type/Selector designation, this can be an empty list.
Each item of AssociatedLogTypes must be an object with the following fields:
LogType
The ID of the Log Schema
String
Selectors
A list of fields from the Log Type to be matched against the Primary Key
List of strings
Refresh specification
Refresh specificationRefresh defines the configuration when importing data from an S3 bucket or a GCS bucket. It must be an object with the following fields:
ObjectPath
A URI pointing to the file within the S3 or GCS bucket.
String
PeriodMinutes
The number of minutes to wait between syncing with the S3 object
15,30,60,180 (3 hours),720 (12 hours), or 1440 (24 hours)
RoleARN
(Required only for S3 bucket sync) The AWS ARN corresponding the role Panther can assume to access the S3 object.
String
GCSCredentials
(Required only for GCS bucket sync) The Workload Identity Federation JSON credential configuration file.
String (containing a JSON object)
StorageProvider
The cloud service where ObjectPath is located.
S3 or GCS (defaults to S3 if undefined)
Indicators specification
Indicators specificationIndicators defines field indicator mappings when using Query. Each item in the array must be an object with the following fields:
Field
The name of the field in the query result
String
Indicators
A list of indicator types for this field
Array of strings (e.g., ["username", "email"])
Validations specification
Validations specificationValidations defines field validation rules when using Query. Each item in the array must be an object with the following fields:
Field
The name of the field in the query result
String
Validations
A list of validation rules for this field
Array of validation objects
Last updated
Was this helpful?