Can I onboard Enrichment data to Panther from S3 if my data is in a JSON array?

Last updated
Save as PDF

QUESTION

Can I onboard Enrichment data from S3 If my data is in JSON array?

ANSWER

No, you cannot. If you are trying to onboard Enrichment data from S3, your logs have to appear in either JSONL or CSV format. They cannot be in a JSON array.

If it is possible for your organization, use a third-party software to pre-process your logs before they get sent to S3 (e.g Cribl, Fluentd, etc). Only when you ingest from S3 can you use JSON array.