Lookups are custom lists that allow you to easily filter by large lists in Kibana.
Instead of adding a long list of elements to your query, you can create lookup lists and filter by them with the operator
in lookups or
not in lookups.
For example, you can create lookups of whitelisted or blacklisted usernames, IP addresses, regions, or domains.
Since the lookup list is centrally managed, it can be easily updated and changed without requiring manually updating multiple dashboards, saved searches, security rules, etc.
To create a lookup list, select Rules > Lookups from the top menu of your Cloud SIEM account.
If you would like to create a lookup list with a large number of elements, please contact the Support team so they can create it for you. A new lookups API is coming soon to allow you to create and update a large lookup list independently.
Create a lookup
In the Lookups page, click + New lookup. Name your lookup. You can also add a Description.
Click + Add record to add a new element to the lookup.
Type in a Value. For example, an IP address or domain. You can also add a reference Note. Click Add to confirm and save the new record.
- Repeat the above step to continue adding the relevant records to your lookup.
Update or delete a lookup
In the Lookups page:
To add, update, or remove items from the lookup, hover over the lookup, click edit , make your changes, and then click Save.
To delete a lookup, hover over the item and click delete to delete it. You’ll be asked to confirm the deletion.
Filter by lookups in Kibana
You can filter by lookups in Kibana dashboards, security rules, and searches.
For example, go to the Research page or open a Dashboard. Click Add a filter to show the filter dialog box.
- Field - Select a field to filter by.
- Operator - Select the operator in lookups or not in lookups.
- Value - Select the lookup you want to filter by.
Add a lookup filter to a security rule
Security rules can filter by a lookup. Learn more about managing security rules.