I'm looking for p_enrichment
data and the field does not appear in any of the logs. I've checked multiple log sources and it seems missing from all of them.
In the Data Explorer, search the panther_rule_matches
database, with a query like this one:
SELECT * FROM panther_rule_matches.public.<YOUR_LOG_SOURCE> WHERE p_occurs_since('2 weeks') LIMIT 10;
Replace <YOUR_LOG_SOURCE>
with the name of your log source. For example: aws_cloudtrail
or okta_systemlog
If enrichment is configured correctly, you will find the p_enrichment
field in the rule matches, not the logs themselves. If they're not there, see our enrichment troubleshooting guide here.
Logs enter Panther via the ingestion process, after which point they are searchable in the panther_logs
database. Ingestion does not involve enrichment, so the items in panther_logs
don't include p_enrichment
. Later, when rules (regular or scheduled) are run by the detections engine, then enrichment is added to the panther_rule_matches
database for any logs that match those rules.