Lookup Table Specification Reference
The following is a complete list of Lookup Table specification fields. Field names in bold are required. An asterisk (*) indicates that 2 fields are mutually exclusive.
| Field Name | Description | Expected Value |
|---|---|---|
| Indicates that this is a Lookup Table |
|
| Whether this table is enabled | Boolean |
| The unique identifier of the table | String |
| The ID of the schema to use for parsing input data | String |
| A mapping of log schema fields to match against this table | Object, see below |
| The relative path to the data file. Cannot be used with Refresh! | String |
| The configuration of the S3 Sync functionality. Cannot be used with Filename! | Object, see below |
| A breif description of the table | String |
| An optional reference link | String |
LogTypeMap Specification
LogTypeMap should be an object with the following fields:
| Field Name | Description | Expected Value |
|---|---|---|
| Defines which column of the table to use for matching against events | String, number, or array (of strings or numbers) See Primary key data types |
| A list of Log Types and the fields of each to use as Selector Keys | List, see below |
Each item of AssociatedLogTypes must be an object with the following fields:
| Field Name | Description | Expected Value |
|---|---|---|
| The ID of the Log Schema | String |
| A list of fields from the Log Type to be matched against the Primary Key | List of strings |
Refresh Specification
Refresh defines the configuration for an S3 Sync. It must be an object with the following fields:
| Field Name | Description | Expected Value |
|---|---|---|
| The AWS ARN corresponding the role Panther can assume to access the S3 object. | String |
| A URI pointing to the file within the S3 bucket | String |
| The number of minutes to wait between syncing with the S3 object |
|
Last updated