Lookup Table Specification Reference

AnalysisType

Indicates that this is a Lookup Table

lookup_table

Enabled

Whether this table is enabled

Boolean

LookupName

The unique identifier of the table

String

Schema

The ID of the schema to use for parsing input data

String

LogTypeMap

A mapping of log schema fields to match against this table

Object, see LogTypeMap specification below

Filename*

The relative path to the data file. Cannot be used with Refresh

String

Refresh*

The configuration of the S3 bucket or Google Cloud Storage (GCS) bucket sync functionality. Cannot be used with Filename

Object, see Refresh specification below

Description

A brief description of the table

String

Reference

An optional reference link

String

PrimaryKey

Defines which column of the table to use for matching against events

String, number, or array (of strings or numbers) See Primary key data types

AssociatedLogTypes

A list of log types and the fields of each to use as Selectors.

List, see below. If you are using automatic log type/Selector designation, this can be an empty list.

LogType

The ID of the Log Schema

String

Selectors

A list of fields from the Log Type to be matched against the Primary Key

List of strings

ObjectPath

A URI pointing to the file within the S3 or GCS bucket.

String

PeriodMinutes

The number of minutes to wait between syncing with the S3 object

15,30,60,180 (3 hours),720 (12 hours), or 1440 (24 hours)

RoleARN

(Required only for S3 bucket sync) The AWS ARN corresponding the role Panther can assume to access the S3 object.

String

GCSCredentials

(Required only for GCS bucket sync) The Workload Identity Federation JSON credential configuration file.

String (containing a JSON object)

StorageProvider

The cloud service where ObjectPath is located.

S3 or GCS (defaults to S3 if undefined)