Troubleshooting null and empty enrichment/Lookup Tables in Panther
QUESTION
How do I troubleshoot issues with thep_enrichment field being empty or null instead of displaying Lookup Table data in Panther?
ANSWER
Null p_enrichment field
Note that a p_enrichment with an empty dictionary, {}, is not the same as one that is null. The empty dictionary means there weren't any matches in the Lookup Tables, while null means that Panther was unable to determine which Lookup Tables to use.
The most common causes of a null p_enrichment are:
- The log type isn't specified. To resolve this, check the following:
- Ensure the log has the
p_log_typefield set. If you're using a unit test, make sure your test JSON includes a line like the following. Change "AWS_CloudTrail" to whatever log type you're using. For example:"p_log_type": "AWS_CloudTrail" - Make sure that there are Lookup Tables associated with the Log Type.
- Ensure the log has the
- You created a schema and associated it with a Lookup Table. Afterward, you edited the schema and added a new field.
- The new field is returning null. To resolve this issue please delete the lookup table, and make a new one with the same name.
- Switching the schema attached to the Lookup Table, saving and switching back to the modified schema will also fix this issue.
- The new field is returning null. To resolve this issue please delete the lookup table, and make a new one with the same name.
- The test data did not contain
p_enrichment.- For information on this issue relating to GreyNoise, please see this article: Testing a rule with GreyNoise enrichment in Panther returns null values in the alert context.
Empty p_enrichment field
Please check the following:
- Is the enrichment source (GreyNoise or Lookup Table) set up to use the log type the event came from?
- If the IP you're searching for hasn't been detected by GreyNoise, then the enrichment returns null, and the
p_enrichmentfield is left empty. You can check if GreyNoise has detected a particular IP by visiting their online tool here. - In the enrichment source configuration, is the selector (Log Attribute) defined properly? Note that if the field is nested in a JSON object, the selector must start with
$..- For example, if you want
event['client']['ip'], you need to write$.client.ip.
- For example, if you want
- Does the selector value in the event have an entry in the enrichment source?
- This is especially important with GreyNoise. If the IP you're searching for hasn't been detected by GreyNoise, then the enrichment returns null, and the
p_enrichmentfield is left empty. You can check if GreyNoise has detected a particular IP by visiting their online tool here.
- This is especially important with GreyNoise. If the IP you're searching for hasn't been detected by GreyNoise, then the enrichment returns null, and the
If you've checked the suggestions above and continue to experience this issue, please reach out to our support team. In your ticket, include:
- A copy of the event not being enriched.
- A copy of the Lookup Table, if possible.