A lookup is a reference that is used in the lookup table, which you can include in your rule or query. For example, you can use lookups to include or exclude certain IP addresses from a rule query.
Lookup list values are only string-based and do not support ranges. OpenSearch Dashboards, however, supports range-based searches, such as IP: [127.0.0.0 TO 127.*].
View the lookup table
To access the lookup table:
-
Sign in to Logz.io.
-
Go to SIEM > Event Lookups.
Here you can add a lookup to the table manually or export it from a CSV file.
Add a lookup manually
To manually add a lookup:
-
Select + New lookup.
-
Add a lookup name.
-
If required, add a lookup description.
-
Select + New element.
-
Fill out the lookup definitions:
-
Add a value that defines the lookup, e.g. an IP address.
-
If required, add a comment for this lookup.
-
Add expiration time for the lookup.
-
-
Select Add.
Add a lookup list from a CSV file
To add a list of lookups from a CSV file:
-
Select Upload from CSV file.
-
Add expiration time to the lookup.
-
Select Upload CSV file.
-
Select the CSV file from your machine and confirm the selection.
Add a single lookup definition
To add a definition for a single lookup from a CSV file:
-
Select + New lookup.
-
Add a lookup name.
-
If required, add a lookup description.
-
Select Upload from CSV file.
-
Add expiration time to the lookup.
-
Select Upload CSV file.
-
Select the CSV file from your machine and confirm the selection.
Reference a lookup in a security rule
To refer to a lookup when creating a security rule:
-
Navigate to the Create a rule window as described in Create a security rule.
-
In the first step, select Add a filter.
-
Select the filter field.
-
Select whether the filter is included in or excluded from a lookup.
-
Select the lookup you are referring to.
-
Select Save.