When creating a Lookup Table that syncs from S3, you may notice that many or all log types appear in the Associated Log Types (Optional)
section, even after deleting them and saving again, alongside the mappings that you have performed on your own. This is a feature that performs an automatic mapping between the Log Types and the Selectors.
Automatic mapping is a feature that automatically associates Log Types with the corresponding Selectors based on the presence of p_any
fields. Kindly note that even if you manually choose Log Types and Selectors, the automatic mappings will still be applied. This feature is designed to enhance the functionality of Lookup Tables without requiring manual configuration for each log type.
For each log type, Panther finds all the Active log schemas (or log types) that designate any event field as that same indicator, associates those log types to the Lookup Table, and sets the p_any
field associated with the indicator as a Selector.
For example, if your Lookup Table data's schema designates an address
field (which has also been set as the primary key) as an ip
indicator, all log types in your Panther instance that also set an ip
indicator will be associated to the Lookup Table, each with a p_any_ip_addresses
Selector.
The automatic mapping only applies to p_any
fields.
This feature does not affect your existing workflows or configurations.
The automatically mapped log types will appear alongside any manually configured log types.
For more information on Lookup Tables and this automatic mapping, please refer to the following sections from our documentation:
If you have any questions or encounter unexpected behavior with this feature, please don't hesitate to contact our support team for assistance.