Lookup Table Enrichment

Lookup table enrichment enhances your log data by adding contextual information from external sources during ingestion. This allows you to correlate log events with additional data that wasn't available at the point of logging.

Scanner supports two types of lookup tables for enrichment:

• Custom Lookup Tables Custom lookup tables let you enrich your logs with organizational context during ingestion. By adding business-specific data to your logs as they're indexed, you can:

  • Create more meaningful detection rules based on user roles, asset criticality, or business context

  • Investigate faster with organizational data already in your logs

  • Filter and search by business attributes like department, asset owner, or location

  • Reduce context-switching — no need to cross-reference external systems during investigations

  Upload CSV files containing reference data (user directories, asset inventories, network mappings, etc.) and use them in transformations to enrich logs during ingestion.

• Threat Intelligence Automatically-synced feeds from threat intelligence providers that flag known malicious indicators in your logs