Lookup lists are custom lists that you can use for simpler, easier query filtering in Kibana.
Instead of adding a long list of elements to your query, you can create lookup lists and use them to filter results by adding the operator
in lookups or
not in lookups. For example, you can create lookup lists of allowlisted or blocklisted usernames, IP addresses, regions, or domains.
Each list you create is added to the main Lookup lists library: Because the lookup lists are centrally managed, any list can be easily updated and changed without requiring manually updating multiple dashboards, saved searches, security rules, and so on.
Configuring an expiration with the optional Time to live (TTL) setting makes it possible to set a default time range for how long new lists should be actively used to filter queries, or to set a specific time range for a specific list. In addition to setting a TTL for a list, you can also configure a unique TTL for each element in the list, separate from the general TTL of the list.
To view and create lookup lists, from the Cloud SIEM menu, go to More Options > Lookups.
To create a large lookup list with up to 200 elements, we recommend that you use a CSV file to upload values. The Lookup lists API endpoints also let you independently manage lookup lists: To create a new list, you’d use the Create lookup lists API, and add elements (either via CSV file or via the Add element to a Lookup list API.
The Time to live (TTL) and CSV upload features are currently in Beta. Contact Logzio Support to request early access.
Managing and using lookup lists
- Configure the default expiration period for new lookup lists
- Create or edit a lookup list manually
- Create or edit a lookup list via CSV file upload
- Delete a lookup list
- Filter by lookup lists in Kibana
- Add a lookup list filter to a security rule
Configure the default expiration period for new lookup lists
Time to live (TTL) is the number of days remaining until the lookup list is expired: A lookup list with a TTL of 1 day expires within 24 hours from the time it was created and a list with a TTL of 2 days expires within 48 hours from the creation time.
By default, all new lookup lists are created without an expiration period. To set the Default Time to live (TTL) for new lookup lists, at the top of the Lookup lists page, click Change, select No expiration or a period between 1-364 days, and then Save your changes to apply them or Cancel the change.
Create or edit a lookup list manually
- In the Lookup lists page, do one of the following:
- Click + New lookup to open Edit a lookup list.
- For an existing list, hover over the list in the table, and click edit to open Edit a lookup list.
In the Edit a lookup list page, update the Name and optional Description for the list.
To add a new line to the list:
a. Click + New element.
b. Enter a Value for the element: For example, an IP address or domain. You can also add an optional note.
c. Set an expiration period (Time to live) for the element: Select No expiration or select the number of days (1-364) you want the list to be active.
d. Click Add to confirm and save the new element or Cancel to discard your changes.
e. Repeat these steps to continue adding elements to your lookup list.
To edit an existing element:
a. Hover over the element in the table, click edit and update the Value, Comment, or Time to live as needed. b. Click Save or Cancel.
- To delete an existing element, hover over the element in the table, click delete , and Confirm or Cancel the action.
Create or edit a lookup list via CSV file upload
Create a large lookup list of up to 200 elements, or update the elements of an existing list with a CSV file.
Prepare a CSV file that includes between 1 and 200 elements:
- An element line can include a single value and an optional comment, but should not be left blank.
- Don’t include header titles for element tables: The headers for the lookup list tables in Cloud SIEM are always Value and Comment.
If your CSV file includes elements that are already in the lookup list, the values are merged and the comments in the uploaded file overwrite the existing comments.
- In the Lookup lists page, click Upload from CSV file.
- In the Upload records from CSV file dialog, configure the TTL for the list as needed.
- Click Upload CSV file, select the relevant file, and confirm, or Cancel to exit the upload. The Edit a lookup list page opens and your new lookup list is displayed with an Untitledxx default name (for example, Untitled20).
- Rename your lookup list, add an optional description, and click Save to update.
Delete a lookup list
To delete a lookup, hover over the item and click delete to delete it. You’ll be asked to confirm the deletion.
Filter by lookup lists in Kibana
You can filter by lookup lists in Kibana dashboards, security rules, and searches.
For example, go to the SIEM Kibana page or open a Dashboard. Click Add a filter to show the filter dialog box.
- Field - Select a field to filter by.
- Operator - Select the operator in lookups or not in lookups.
- Value - Select the lookup you want to filter by.
Add a lookup list filter to a security rule
Security rules can filter by a lookup list. Learn more about managing security rules.