Skip to main content
Panther Knowledge Base

Why is p_enrichment null in my Panther event?

  1. Last updated
  2. Save as PDF

QUESTION

I tried to enrich an event in Panther, but the p_enrichment field shows a value of null instead of Lookup Table data. Why?

ANSWER

The most common cause of a null p_enrichment is that the log type isn't specified. To remedy this, check the following:

  • Ensure the log has the p_log_type field set. If you're using a unit test, make sure your test JSON includes a line like the following. Change "AWS_CloudTrail" to whatever log type you're using.
"p_log_type": "AWS_CloudTrail"
  • Make sure that there are Lookup Tables associated with the Log Type.

Note that a p_enrichment with an empty dictionary, {}, is not the same as one that is null. The empty dictionary means there weren't any matches in the Lookup Tables, while null means that Panther was unable to determine which Lookup Tables to use.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
  2. Tags
    This page has no tags.