Enrichment data field p_enrichment missing from log database

Last updated
Save as PDF

Issue

I'm looking for p_enrichment data and the field does not appear in any of the logs. I've checked multiple log sources and it seems missing from all of them.

Resolution

In the Data Explorer, search the panther_rule_matches database, with a query like this one:

SELECT * FROM panther_rule_matches.public.<YOUR_LOG_SOURCE> WHERE p_occurs_since('2 weeks') LIMIT 10;

Replace <YOUR_LOG_SOURCE> with the name of your log source. For example: aws_cloudtrail or okta_systemlog
If enrichment is configured correctly, you will find the p_enrichment field in the rule matches, not the logs themselves. If they're not there, see our enrichment troubleshooting guide here.

Cause

Logs enter Panther via the ingestion process, after which point they are searchable in the panther_logs database. Ingestion does not involve enrichment, so the items in panther_logs don't include p_enrichment. Later, when rules (regular or scheduled) are run by the detections engine, then enrichment is added to the panther_rule_matches database for any logs that match those rules.