Why does Panther enrichment have an empty dictionary for my log event?
QUESTION
I set up an enrichment source in Panther, but my event(s) have an empty p_enrichment field: {}
ANSWER
Note: If p_enrichment is null, please see this article: Why is p_enrichment null in my Panther event?
An empty p_enrichment field can be due to a few things. Please check the following:
- Is the enrichment source (GreyNoise or Lookup Table) set up to use the log type the event came from?
- In the enrichment source configuration, is the selector (Log Attribute) defined properly? Note that if the field is nested in a JSON object, the selector must start with
$..- For example, if you want
event['client']['ip'], you need to write$.client.ip.
- For example, if you want
- Does the selector value in the event have an entry in the enrichment source?
- This is especially important with GreyNoise. If the IP you're searching for hasn't been detected by GreyNoise, then the enrichment returns null, and the
p_enrichmentfield is left empty. You can check if GreyNoise has detected a particular IP by visiting their online tool here.
- This is especially important with GreyNoise. If the IP you're searching for hasn't been detected by GreyNoise, then the enrichment returns null, and the
If you've checked the above, and still can't figure out why it's not working, please reach out to our support team. In your ticket, include:
- The answers (yes or no) to each of the points above.
- A copy of the event not being enriched.
- A copy of the Lookup Table, if possible.