Skip to content

Lookups

Lookups are dictionaries of entities with attributes that are relevant either for parsing or for detection of cybersecurity incidents.

Lookups can be:

  • A simple list of suspicious IP addresses, active VPN connections, etc.
  • Dictionaries of user names with user attributes like user.id, user.email, etc.
  • Dictionaries of compound keys like IP address and user name combinations for monitoring user activity.
What do lookups do?

Lookups, being like dictionaries, contain additional useful information about the data you already have that can make your logs more informative and valuable.

A simple example:
Your organization has logs about sent emails, which include the email address of the sender. However, you want the logs in your LogMan.io UI to include the sender’s name, not just their email address. So, you have a lookup in which each item is an employee's email address with the employee's name associated. If you use this lookup in the enrichment part of the parsing process, the parser “looks up” the employee’s name based on their email address in this dictionary-like lookup and includes the employee’s name in the log.

Quickstart

In order to set up lookups:

  1. Create a lookup declaration in the LogMan.io Library (the lookup description)
  2. Create the lookup and its content in the Lookups section in the UI (the lookup content)
  3. Add the lookup to the relevant parsing and/or correlation rules in the Library (the lookup application)

Note

Make sure all relevant components are deployed, see Deployment.

Declarations

All lookups are defined by their declarations stored in the /Lookups folder.

The naming convention for declarations is lookupname.yaml, for instance myuserlookup.yaml:

---
define:
    type: lookup
    name: myuserlookup

keys:
    - name: userid
      type: str

fields:
    username:
        type: str

In define, specify the lookup type, lookup name (tenant information will be added automatically), keys with their names (optional) and types and fields in the output record structure. The record structure is NOT based on a schema and should NOT contain periods.

Note

Names of keys and fields cannot contain special characters like a period, etc.

Lookup types

Generic lookups

Generic lookups serve to create list of keys or key-value pairs. The type in the declaration in the define section is just lookup:

---
define:
    type: lookup
    ...

When it comes to parsing, generic lookups can be used only in the standard enricher with the !LOOKUP expression.

For more information about generic Lookups, see Generic Lookups.

IP address lookups

IP address Range Lookup

IP address Range Lookup uses the IP address ranges, such as 192.168.1.1 to 192.168.1.10, as keys.

The declaration of an IP address range lookup must contain type lookup/ipaddressrange in the define section and two keys with type ip in the keys section:

define:
  type: lookup/ipaddressrange
  name: mylookup
  group: mygroup

keys:
  - name: range1
    type: ip
  - name: range2
    type: ip

fields:
  ...

Single IP address lookup

A single IP address lookup is a lookup that has exactly one IP address key with type ip that can be associated with an optional and variable number of attributes, defined by none or multiple values under fields.

In order to use single IP lookups together with the following enrichers, the type of the lookup in the define section must always be lookup/ipaddress.

---
define:
  type: lookup/ipaddress
  name: mylookup
  group: mygroup

keys:
  - name: sourceip
    type: ip

fields:
  ...

For more information about IP address lookups, see IP Address Lookups.

MAC address lookups

MAC address range lookup

The MAC address range lookup uses the MAC address ranges, such as 0c:12:30:00:00:01 to 0c:12:30:00:00:ff, as keys.

The declaration of an MAC address range lookup must contain type lookup/macaddressrange in the define section and two keys with type mac in the keys section:

define:
  type: lookup/macaddressrange
  name: mylookup
  group: mygroup

keys:
  - name: range1
    type: mac
  - name: range2
    type: mac

fields:
  ...

Single MAC address lookup

A single MAC address lookup is a lookup that has exactly one MAC address key with type mac that can be associated with an optional and variable number of attributes, defined by none or multiple values under fields.

In order to use single MAC lookups together with the following enrichers, the type of the lookup in the define section must always be lookup/macaddress.

---
define:
  type: lookup/macaddress
  name: mylookup
  group: mygroup

keys:
  - name: sourcemac
    type: mac

fields:
  ...

For more information about MAC address lookups, see MAC Address Lookups.