Troubleshooting null and empty enrichment/Lookup Tables in Panther

Last updated: December 1, 2025

QUESTION

How do I troubleshoot issues with thep_enrichment field being empty or null instead of displaying Lookup Table data in Panther?

ANSWER

Null p_enrichment field

Note that a p_enrichment with an empty dictionary, {}, is not the same as one that is null. The empty dictionary means there weren't any matches in the Lookup Tables, while null means that Panther was unable to determine which Lookup Tables to use.

The most common causes of a null p_enrichment are: 

  • The log type isn't specified. To resolve this, check the following:

    • Ensure the log has the p_log_type field set. If you're using a unit test, make sure your test JSON includes a line like the following. Change "AWS_CloudTrail" to whatever log type you're using. For example:"p_log_type": "AWS_CloudTrail"

    • Make sure that there are Lookup Tables associated with the Log Type.

Empty p_enrichment field

Please check the following:

  • Is the enrichment source set up to use the log type the event came from?

  • If the IP you're searching for hasn't been detected by GreyNoise, then the enrichment returns null, and the p_enrichment field is left empty. You can check if GreyNoise has detected a particular IP by visiting their online tool here.

  • In the enrichment source configuration, is the selector (Log Attribute) defined properly? Note that if the field is nested in a JSON object, the selector must start with $..

    • For example, if you want event['client']['ip'], you need to write $.client.ip.

  • Does the selector value in the event have an entry in the enrichment source?

If you've checked the suggestions above and continue to experience this issue, please reach out to our support team. In your ticket, include:

  • A copy of the event not being enriched.

  • A copy of the Lookup Table, if possible.