Lookup Table Specification Reference
The following is a complete list of Lookup Table specification fields. Field names in bold are required. An asterisk (*) indicates that 2 fields are mutually exclusive.
AnalysisType
Indicates that this is a Lookup Table
lookup_table
Enabled
Whether this table is enabled
Boolean
LookupName
The unique identifier of the table
String
Schema
The ID of the schema to use for parsing input data
String
LogTypeMap
A mapping of log schema fields to match against this table
Object, see below
Filename*
The relative path to the data file. Cannot be used with Refresh
String
Refresh*
The configuration of the S3 Sync functionality. Cannot be used with Filename
Object, see below
Description
A brief description of the table
String
Reference
An optional reference link
String
LogTypeMap Specification
LogTypeMap should be an object with the following fields:
PrimaryKey
Defines which column of the table to use for matching against events
String, number, or array (of strings or numbers) See Primary key data types
AssociatedLogTypes
A list of log types and the fields of each to use as Selectors.
List, see below. If you are using automatic log type/Selector designation, this can be an empty list.
Each item of AssociatedLogTypes must be an object with the following fields:
LogType
The ID of the Log Schema
String
Selectors
A list of fields from the Log Type to be matched against the Primary Key
List of strings
Refresh Specification
Refresh defines the configuration for an S3 Sync. It must be an object with the following fields:
RoleARN
The AWS ARN corresponding the role Panther can assume to access the S3 object.
String
ObjectPath
A URI pointing to the file within the S3 bucket
String
PeriodMinutes
The number of minutes to wait between syncing with the S3 object
15,30,60,180 (3 hours),720 (12 hours), or 1440 (24 hours)
Last updated