How can I use Data Explorer to view lookup table enrichment data?
Lookup table data can be found using Panther's panther_lookups
database in Data Explorer.
To view the lookup table data in conjunction with the log event data (panther_logs
), you can use a SQL JOIN on the two databases. Here's an example with the 1Password logs and lookup table:
with logs as
(select * from panther_logs.public.onepassword_itemusage where p_occurs_since('48 hours')), -- change timing as needed
lookup as (select * from panther_lookups.public.YOUR_LOOKUPTABLE_NAME)
select logs.p_event_time, logs.client:ip_address, logs.user:name, logs.item_uuid, lookup.title
from logs join lookup on logs.item_uuid = lookup.item
order by logs.p_event_time desc
If you're not using Snowflake, omit public
from your database titles.