Lookup Table Examples

The following are examples of using Lookup Tables for detections.

Example for translating 1Password UUIDs into human readable names

Please see our guide about using Lookup Tables to translate 1Password's Universally Unique Identifier (UUID) values into human readable names: Using Lookup Tables: 1Password UUIDs.

Example using CIDR matching through Panther Console

Example scenario: Let's say you want to write detections that consider the traffic logs from company IP space (e.g. VPNs and hosted systems) differently from others logs originating from public IP space.

You have a list of your company's allowed CIDR blocks listed in a .csv file (e.g. 4.5.0.0/16):

Set up a Lookup Table with the CIDR list

1. Follow the instructions to set up a Lookup Table and configure its basic information.

   • The name of the Lookup Table in this example is Company CIDR Blocks.

2. On the Associated Log Types page, choose the Log Type and Selectors.
3. Associate a schema for your Lookup Table: Select an existing one from your list or create a new schema.

   • Note: The primary key column which will hold the CIDR blocks needs to have a CIDR validation applied in the schema to indicate that this lookup table will do CIDR block matching on IP addresses. See our log schema reference.

     Copy

     # Will allow valid ip6 CIDR ranges
     # e.g. 2001:0db8:85a3:0000:0000:0000:0000:0000/64
     - name: address
       type: string
       validate:
         cidr: "ipv6" 
         
     # Will allow valid ipv4 IP addresses e.g. 100.100.100.100/00
     - name: address
       type: string
       validate:
         cidr: "ipv4"  

4. Drag & drop a file or click Select File to choose the file of your CIDR block list to import. The file must be in .csv or .jsonl format. The maximum file size supported is 5MB.

5. After you successfully import a file, click View in Data Explorer to query that table data or click Finish Setup to go back to a list of your custom Lookup Tables.

Write a detection

You might like to receive an alert if any VPC traffic comes from a source IP address that is not part of your company's allowed CIDR blocks. Here is an example of a rule that will send an alert in this case:

def rule(event):
  if event.get('flowDirection') == 'egress': # we care about inbound
        return False
  if event.get('action') == 'REJECT': # we don't care about these either
        return False
  if deep_get(event, 'p_enrichment','Company CIDR Blocks','srcAddr'): # these are ok
        return False 
  return True # alert if NOT from an approved network range

Detection:
  - KeyPath: flowDirection
    Condition: DoesNotEqual
    Value: egress
  - KeyPath: action
    Condition: DoesNotEqual
    Value: REJECT
  - KeyPath: p_enrichment.'Company CIDR Blocks'.srcAddr
    Condition: DoesNotExist

Note: The CIDR validation applied in the Lookup Table schema in this example will enable the system to match IP addresses in VPC flow log to CIDR blocks in the lookup.

Example using IP for Geolocation with Panther Analysis Tool

Let's say you want to know which geographical location your employees are connecting from (e.g., using info like geonames.org). In this scenario, your company has a static file that maps CIDRs to a GeoId, like the one we have in this example_cidr_lookup_content.csv.

> curl https://raw.githubusercontent.com/panther-labs/panther-analysis/master/templates/example_cidr_lookup_content.csv

network,geoname_id
1.0.0.0/24,2077422
1.0.1.0/24,1814991
1.0.2.0/23,1814991
1.0.4.0/22,2077456
1.0.8.0/21,1814991
1.0.16.0/20,1814991

You could use a YAML schema similar to the following:

AnalysisType: lookup_table # always lookup_table
LookupName: simple_cidr_lookup # str
Enabled: true # bool
Description: Lookup table description # str (Optional)
FileName: ./relative/path/to/content.csv # str (Optional)
Reference: An optional reference link # str (Optional)
Schema: Custom.Simple.Cidr # str (should already exist)
LogTypeMap:
  PrimaryKey: network # str
  AssociatedLogTypes: # [...]
    - LogType: Aws.CloudTrail # str
      Selectors: # [str]
        - 'p_any_ip_addresses'
    - LogType: Aws.VPCFlow
      Selectors:
        - 'p_any_ip_addresses'