Do Panther enrichments happen for all events or only rule matches?

QUESTION

Do enrichments happen for each incoming event? Or do they only happen for events which have matched a rule and triggered an alert? I may want to use a custom enrichment for filtering events which might be actionable.

ANSWER

Log events are enriched before being run through associated detections, but they are not enriched when stored in the data lake.

Enrichment happens before log events are sent to the detections engine, so every incoming log event with a match will be enriched. If a match is found, a p_enrichment field is appended to the event and accessed within a detection using a deep_get.This is the structure of p_enrichment fields:

'p_enrichment': {
    <name of enrichment1>: {
        <name of selector>: {
            'p_match': <value of Selector>,
	          <enrichment key>: <enrichment value>,
	          ...
	      }
    }
}

If you look at the log types associated with the enrichment, you can see what it is matching on. You can add mappings for your custom schemas there, or adjust them.

You can see this in practice in the screenshot below. For example, if you needed to grab the title string nested within p_enrichment in a detection, you would use deep_get(event, "p_enrichment", "1Password Translation", "item_uuid", "title") . 

The data in p_enrichment  isn't stored in panther_logs because panther_logs tables are populated pre-enrichment, but if a rule has a match, and that event has enrichment data, then p_enrichment will be present in panther_rule_matches (due to rule matches being generated after the enrichment & detections engine).

Signals queried from panther_signals.public.correlation_signals do contain enrichment data.