How can I view Panther Lookup Table enrichment data in Data Explorer?
How can I use Data Explorer to view lookup table enrichment data?
Lookup table data can be found using Panther's
panther_lookups database in Data Explorer.
To view the lookup table data in conjunction with the log event data (
panther_logs), you can use a SQL JOIN on the two databases. Here's an example with the 1Password logs and lookup table:
with logs as (select * from panther_logs.public.onepassword_itemusage where p_occurs_since('48 hours')), -- change timing as needed lookup as (select * from panther_lookups.public.YOUR_LOOKUPTABLE_NAME) select logs.p_event_time, logs.client:ip_address, logs.user:name, logs.item_uuid, lookup.title from logs join lookup on logs.item_uuid = lookup.item order by logs.p_event_time desc
If you're not using Snowflake, omit
public from your database titles.