# Lookup Table Enrichment Lookup table enrichment enhances your log data by adding contextual information from external sources during ingestion. This allows you to correlate log events with additional data that wasn't available at the point of logging. Scanner supports two types of lookup tables for enrichment: * **Custom Lookup Tables**\ Custom lookup tables let you enrich your logs with organizational context **during ingestion**. By adding business-specific data to your logs as they're indexed, you can: * **Create more meaningful detection rules** based on user roles, asset criticality, or business context * **Investigate faster** with organizational data already in your logs * **Filter and search** by business attributes like department, asset owner, or location * **Reduce context-switching** — no need to cross-reference external systems during investigations Upload CSV files containing reference data (user directories, asset inventories, network mappings, etc.) and use them in transformations to enrich logs during ingestion. * **Threat Intelligence**\ Automatically-synced feeds from threat intelligence providers that flag known malicious indicators in your logs --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-transformation-and-enrichment/lookup-table-enrichment.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.