Lookup Table Examples
Last updated
Last updated
The following are examples of using Lookup Tables for detections.
Please see our guide about using Lookup Tables to translate 1Password's Universally Unique Identifier (UUID) values into human readable names: Using Lookup Tables: 1Password UUIDs.
Example scenario: Let's say you want to write detections that consider the traffic logs from company IP space (e.g. VPNs and hosted systems) differently from others logs originating from public IP space.
You have a list of your company's allowed CIDR blocks listed in a .csv
file (e.g. 4.5.0.0/16
):
cidr | description |
---|---|
10.2.3.0/24 | San Francisco Office |
20.3.4.0/24 | DC Office |
30.4.5.0/24 | Boston Office |
Follow the steps above under "Set up a Lookup Table" to add a new Lookup Table and configure its basic information.
The name of the Lookup Table in this example is Company CIDR Blocks
.
On the Associated Log Types page, choose the Log Type and Selectors.
For this example, we used AWS.VPCFlow
logs and associated the source IP (srcAddr
) and destination (dstAddr
) keys.
Associate a schema for your Lookup Table: Select an existing one from your list or create a new schema.
Note: The primary key column which will hold the CIDR blocks needs to have a CIDR
validation applied in the schema to indicate that this lookup table will do CIDR block matching on IP addresses. See our log schema reference.
Drag & drop a file or click Select File to choose the file of your CIDR block list to import. The file must be in .csv
or .jsonl
format. The maximum file size supported is 5MB.
After you successfully import a file, click View in Data Explorer to query that table data or click Finish Setup to go back to a list of your custom Lookup Tables.
You might like to receive an alert if any VPC traffic comes from a source IP address that is not part of your company's allowed CIDR blocks. Here is an example of a rule that will send an alert in this case:
Note: The CIDR validation applied in the Lookup Table schema in this example will enable the system to match IP addresses in VPC flow log to CIDR blocks in the lookup.
Let's say you want to know which geographical location your employees are connecting from (e.g., using info like geonames.org). In this scenario, your company has a static file that maps CIDRs to a GeoId, like the one we have in this example_cidr_lookup_content.csv.
You could use a YAML schema similar to the following: