Why am I unable to access all the lookup table enrichment data in Panther when using deep_get?

Last updated: April 7, 2025

QUESTION

I tried to reference a value in the alert context using the following syntax:

deep_get(event, "p_enrichment", "okta-lookup", "p_any_emails[0]", "IsD")

However, this didn't work due to the p_any_emails being a list. What is the correct syntax to access a value within a list?

ANSWER

You can use deep_walk when your enrichment data contains nested lists, such as when accessing multiple values within p_any_emails. Here's how to properly access lookup table enrichment data in your detections:

In Alert Context:

def alert_context(event):
    return {
        "IsD": event.deep_walk(
            "p_enrichment", "okta-lookup", "p_any_emails", "IsD", default=False
        )
    }

In Severity Function:

def severity(event):
    is_d = event.deep_walk("p_enrichment", "okta-lookup", "p_any_emails", "IsD", default=False)
    return "High" if is_d else "Low"