Lookup Table Specification Reference
Lookup Table field reference
The following is a complete list of Lookup Table specification fields. Field names in bold are required. An asterisk (*
) indicates that 2 fields are mutually exclusive.
AnalysisType
Indicates that this is a Lookup Table
lookup_table
Enabled
Whether this table is enabled
Boolean
LookupName
The unique identifier of the table
String
Schema
The ID of the schema to use for parsing input data
String
LogTypeMap
A mapping of log schema fields to match against this table
Object, see LogTypeMap
specification below
Filename*
The relative path to the data file. Cannot be used with Refresh
String
Refresh*
The configuration of the S3 bucket or Google Cloud Storage (GCS) bucket sync functionality. Cannot be used with Filename
Object, see Refresh
specification below
Description
A brief description of the table
String
Reference
An optional reference link
String
LogTypeMap
specification
LogTypeMap
specificationLogTypeMap
should be an object with the following fields:
PrimaryKey
Defines which column of the table to use for matching against events
String, number, or array (of strings or numbers) See Primary key data types
AssociatedLogTypes
A list of log types and the fields of each to use as Selectors.
List, see below. If you are using automatic log type/Selector designation, this can be an empty list.
Each item of AssociatedLogTypes
must be an object with the following fields:
LogType
The ID of the Log Schema
String
Selectors
A list of fields from the Log Type to be matched against the Primary Key
List of strings
Refresh
specification
Refresh
specificationRefresh
defines the configuration when importing data from an S3 bucket or a GCS bucket. It must be an object with the following fields:
ObjectPath
A URI pointing to the file within the S3 or GCS bucket.
String
PeriodMinutes
The number of minutes to wait between syncing with the S3 object
15
,30
,60
,180
(3 hours),720
(12 hours), or 1440
(24 hours)
RoleARN
(Required only for S3 bucket sync) The AWS ARN corresponding the role Panther can assume to access the S3 object.
String
GCSCredentials
(Required only for GCS bucket sync) The Workload Identity Federation JSON credential configuration file.
String (containing a JSON object)
StorageProvider
The cloud service where ObjectPath
is located.
S3
or GCS
(defaults to S3
if undefined)
Last updated
Was this helpful?