- Print
- DarkLight
The Lookup Manager Extension allows you to create, maintain & automatically refresh lookups in the Organization to then reference them in Detection & Response Rules.
The saved Lookup Configurations can be managed across tenants using Infrastructure as Code extension. To manage lookup versions across all of your tenants, update the file under the original Authenticated Resource Locator.
Every 24 hours, LimaCharlie will sync all of the lookups in the configuration. Lookups can also be manually synced by clicking the Manual Sync
button on the extension page. When a lookup configuration is added, it will not be automatically synced immediately, unless you click on Manual Sync
.
Lookup sources can be either direct links (URLs) to a given lookup or ARLs.
Example JSON lookup: link
Usage
Option 1: Preconfigured Lookups
LimaCharlie provides a curated list of several publicly available JSON lookups for use within your organization. These are provided in the lookup manager GUI.
More details and the contents of each of these lookups can be found here.
Option 2: Publicly available Lookups
Giving the lookup configuration a name, the URL or ARL, and clicking the Save button will create the new lookup source to sync to your lookups.
[github,my-org/my-repo-name/path/to/lookup]
Option 3: Private Lookup Repository
To use a lookup from a private Gihub repository you will need to make use of an Authentication Resource Locator.
Step 1: Create a token in GitHub
In GitHub go to Settings and click Developer settings in the left hand side bar.
Next click Personal access token followed by Generate new token. Select repo permissions and finally Generate token.
Step 2: Connect LimaCharlie to you GitHub Repository
Inside of LimaCharlie, click on Lookup Manager in the left hand menu. Then click Add New Lookup Configuration.
Give your lookup a name and then use the token you generated with the following format linked to your repo.
[github,my-org/my-repo-name/path/to/lookup,token,bfuihferhf8erh7ubhfey7g3y4bfurbfhrb]
Infrastructure as Code
Example:
hives:
extension_config:
ext-lookup-manager:
data:
lookup_manager_rules:
- arl: ""
format: json
name: tor
predefined: '[https,storage.googleapis.com/lc-lookups-bucket/tor-ips.json]'
tags:
- tor
- arl: ""
format: json
name: talos
predefined: '[https,storage.googleapis.com/lc-lookups-bucket/talos-ip-blacklist.json]'
tags:
- talos
usr_mtd:
enabled: true
expiry: 0
tags: []
comment: ""