How can I view Panther Lookup Table enrichment data in Data Explorer?
ANSWER
Lookup table data can be found using Panther's panther_lookups database in Data Explorer.
To view the lookup table data in conjunction with the log event data (panther_logs), you can use a SQL JOIN on the two databases. Here's an example with the 1Password logs and lookup table:
with logs as
(select * from panther_logs.public.onepassword_itemusage where p_occurs_since('48 hours')), -- change timing as needed
lookup as (select * from panther_lookups.public.YOUR_LOOKUPTABLE_NAME)
select logs.p_event_time, logs.client:ip_address, logs.user:name, logs.item_uuid, lookup.title
from logs join lookup on logs.item_uuid = lookup.item
order by logs.p_event_time desc
If you're not using Snowflake, omit public from your database titles.