Import via File Upload
This feature is available in version 1.27 and newer.

Set up a Lookup Table

Example scenario: Let's say you want to add metadata to distinguish developer accounts from production accounts in your AWS CloudTrail logs. Here's an example where isProduction has been added:
To configure a Lookup Table, follow these steps in your Panther Console:
  1. 1.
    From the left sidebar, click Enrichment > Lookup Tables.
  2. 2.
    In the upper right side of the page, click + to add a new Lookup Table.
  3. 3.
    Configure the Lookup Table Basic Information:
    1. 1.
      Enter a descriptive Lookup Name.
      • For this example, we will use account_metadata.
    2. 2.
      Enter a Description (optional) and a Reference (optional). Description is meant for content about the table, while Reference can be used to hyperlink to an internal resource.
    3. 3.
      Next to Enabled? toggle the setting to Yes. Note: This is required to import your data later in this process.
    4. 4.
      Click Continue.
  4. 4.
    Configure the Associated Log Types:
    • Select the Log Type from the dropdown.
    • Type in the name of the Selectors, the foreign key fields from the log type you want enriched with your Lookup Table. (In the example screen shot below, we selected AWS.CloudTrail logs and typed in accountID and recipientAccountID to represent keys in the CloudTrail logs.
      • You also can reference attributes in nested objects using JSON path syntax. For example, if you wanted to reference a field in a map you could do $.field.subfield.
    • Click Add Log Type to add another if needed.
  5. 5.
    Click Continue.
  6. 6.
    Configure the Table Schema. Note: If you have not already created a new schema, please see our documentation on creating schemas. You can also use your Lookup Table data to infer a schema. Once you have created a schema, you will be able to choose it from the dropdown on the Table Schema page while configuring a Lookup Table. Note: CSV schemas require column headers to work with Lookup Tables.
    1. 1.
      Select a Schema Name from the dropdown.
    2. 2.
      Select a Primary Key Name from the dropdown. This should be a unique column on the table, such as accountID.
  7. 7.
    Click Continue.
  8. 8.
    Drag and drop a file or click Select File to choose the file of your Lookup Table data to import. The file must be in .csv or .jsonl format.
  9. 9.
    Click Finish Setup. A source setup success page will populate.
  10. 10.
    Optionally, next to to Set an alarm in case this lookup table doesn't receive any data?, toggle the setting to YES to enable an alarm.
    • Fill in the Number and Period fields to indicate how often Panther should send you this notification.
    • The alert destinations for this alarm are displayed at the bottom of the page. To configure and customize where your notification is sent, see documentation on Panther Destinations.
Note: Notifications generated for a Lookup Table upload failing are accessible in the System Errors tab within the Alerts & Errors page in the Panther Console.
Copy link