How can I test if enrichment is working correctly in Panther?
QUESTION
I just created a Lookup Table. How can I test that it is properly enriching incoming logs without actually ingesting data?
ANSWER
Panther provides a built in method to conveniently test that enrichment is working as expected. This feature is the "Enrich Test Data" button that can be found when editing test cases in the Detection editor.
To access this "Enrich Test Data" button:
- Navigate to Build > Detections.
- Click Create New.
- Click on the Functions & Tests tab. Scroll down to the tests section, and click Create Test.
- Here you can enter a sample JSON payload of what an incoming log might look like, and then you can click the "Enrich Test Data" button which will attempt to use your Lookup Table to provide a
p_enrichmentfield directly into the JSON editor so you can visualize the structure of the enrichment data.
- Here you can enter a sample JSON payload of what an incoming log might look like, and then you can click the "Enrich Test Data" button which will attempt to use your Lookup Table to provide a
In the following two screenshots you can see an example of how this works:
The first screenshot shows a sample log where we provide an IP address that we hope to match with extra enriched information from our Lookup Table. Note that it is also important here to specify the p_log_type so that Panther knows which Lookup Table to try to get the enrichment from. If you don't specify the p_log_type, the enrichment data will not show up in this test.
Next, we click the "Enrich Test Data" button and then we see the p_enrichment show up in our editor:
