When creating a Lookup Table that syncs from S3, you may notice that many or all log types appear in the Associated Log Types (Optional) section, even after deleting them and saving again, alongside the mappings that you have performed on your own. This is a feature that performs an automatic mapping between the Log Types and the Selectors.

What is this Automatic Mapping?

Automatic mapping is a feature that automatically associates Log Types with the corresponding Selectors based on the presence of p_any fields. Kindly note that even if you manually choose Log Types and Selectors, the automatic mappings will still be applied. This feature is designed to enhance the functionality of Lookup Tables without requiring manual configuration for each log type.

For each log type, Panther finds all the Active log schemas (or log types) that designate any event field as that same indicator, associates those log types to the Lookup Table, and sets the p_any field associated with the indicator as a Selector.

For example, if your Lookup Table data's schema designates an address field (which has also been set as the primary key) as an ip indicator, all log types in your Panther instance that also set an ip indicator will be associated to the Lookup Table, each with a p_any_ip_addresses Selector.

Key Points to Remember

Additional Resources

For more information on Lookup Tables and this automatic mapping, please refer to the following sections from our documentation:

If you have any questions or encounter unexpected behavior with this feature, please don't hesitate to contact our support team for assistance.