# Lookup Table Examples The following are examples of using Lookup Tables for detections. ### Example for translating 1Password UUIDs into human readable names Please see our guide about using Lookup Tables to translate 1Password's Universally Unique Identifier (UUID) values into human readable names: [Using Lookup Tables: 1Password UUIDs](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/enrichment/lookup-tables/lookup-table-examples/1password-uuids)[.](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/enrichment/lookup-tables/lookup-table-examples/1password-uuids) ### Example using CIDR matching through Panther Console **Example scenario:** Let's say you want to write detections that consider the traffic logs from company IP space (e.g. VPNs and hosted systems) differently from others logs originating from public IP space. You have a list of your company's allowed CIDR blocks listed in a `.csv` file (e.g. `4.5.0.0/16`):
cidrdescription
10.2.3.0/24San Francisco Office
20.3.4.0/24DC Office
30.4.5.0/24Boston Office
#### Set up a Lookup Table with the CIDR list 1. Follow the steps above under "Set up a Lookup Table" to add a new Lookup Table and configure its basic information. * The name of the Lookup Table in this example is `Company CIDR Blocks`. 2. On the Associated Log Types page, choose the Log Type and Selectors. * For this example, we used `AWS.VPCFlow` logs and associated the source IP (`srcAddr`) and destination (`dstAddr`) keys.\ ![The image shows the "Associated Log Types" page while setting up Lookup Tables. There is a dropdown menu labeled Log Type, and AWS.VPCFlow is selected. In the field labeled "Selectors," it is filled in with "srcAddr" and "dstAddr."](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fp2Se1LASdY5xZclOFkl9%2Flookup-table-cidr-log-type.png?alt=media\&token=742f7117-5001-42bd-b846-65f5920258c0) 3. Associate a schema for your Lookup Table: Select an existing one from your list or [create a new schema](https://docs.panther.com/~/changes/15ann7vKLltCCAGHtdQr/data-onboarding/custom-log-types#generating-a-schema-from-sample-logs). * **Note:** The primary key column which will hold the CIDR blocks needs to have a `CIDR` validation applied in the schema to indicate that this lookup table will do CIDR block matching on IP addresses. [See our log schema reference](https://docs.runpanther.io/data-onboarding/custom-log-types/reference#validation-by-string-type). ``` # Will allow valid ip6 CIDR ranges # e.g. 2001:0db8:85a3:0000:0000:0000:0000:0000/64 - name: address type: string validate: cidr: "ipv6" # Will allow valid ipv4 IP addresses e.g. 100.100.100.100/00 - name: address type: string validate: cidr: "ipv4" ``` 4. Drag & drop a file or click **Select File** to choose the file of your CIDR block list to import. The file must be in `.csv` or `.jsonl` format. The maximum file size supported is 5MB. 5. After you successfully import a file, click **View in Data Explorer** to query that table data or click **Finish Setup** to go back to a list of your custom Lookup Tables. ![](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FcSOJGLrAcLplJ6YvOTi4%2FScreen%20Shot%202022-01-05%20at%206.12.03%20PM.png?alt=media\&token=22de454f-ef92-41de-a386-33c192df22a5) #### Write a detection You might like to receive an alert if any VPC traffic comes from a source IP address that is not part of your company's allowed CIDR blocks. Here is an example of Python rule that will send an alert in this case: ```python def rule(event): if event.get('flowDirection') == 'egress': # we care about inbound return False if event.get('action') == 'REJECT': # we don't care about these either return False if deep_get(event, 'p_enrichment','Company CIDR Blocks','srcAddr'): # these are ok return False return True # alert if NOT from an approved network range ``` **Note**: The CIDR [validation](#set-up-a-lookup-table-with-the-cidr-list) applied in the Lookup Table schema in this example will enable the system to match IP addresses in VPC flow log to CIDR blocks in the lookup. ### Example using IP for Geolocation with Panther Analysis Tool Let's say you want to know which geographical location your employees are connecting from (e.g., using info like geonames.org). In this scenario, your company has a static file that maps CIDRs to a GeoId, like the one we have in this [example\_cidr\_lookup\_content.csv](https://github.com/panther-labs/panther-analysis/blob/master/templates/example_cidr_lookup_content.csv). {% code overflow="wrap" %} ``` > curl https://raw.githubusercontent.com/panther-labs/panther-analysis/master/templates/example_cidr_lookup_content.csv network,geoname_id 1.0.0.0/24,2077422 1.0.1.0/24,1814991 1.0.2.0/23,1814991 1.0.4.0/22,2077456 1.0.8.0/21,1814991 1.0.16.0/20,1814991 ``` {% endcode %} You could use a YAML schema similar to the following: ```yaml AnalysisType: lookup_table # always lookup_table LookupName: simple_cidr_lookup # str Enabled: true # bool Description: Lookup table description # str (Optional) FileName: ./relative/path/to/content.csv # str (Optional) Reference: An optional reference link # str (Optional) Schema: Custom.Simple.Cidr # str (should already exist) LogTypeMap: PrimaryKey: network # str AssociatedLogTypes: # [...] - LogType: Aws.CloudTrail # str Selectors: # [str] - 'p_any_ip_addresses' - LogType: Aws.VPCFlow Selectors: - 'p_any_ip_addresses' ```