Lookup Manager

The Lookup Manager extension allows you to create, maintain & automatically refresh lookups in the organization to then reference them in Detection & Response Rules.

The saved Lookup Configurations can be managed across tenants using Infrastructure as Code extension. To manage lookup versions across all of your tenants, update the file under the original Authenticated Resource Locator. Every 24 hours, LimaCharlie will sync all of the tenants that use the configuration. Lookups can also be manually synced by clicking the Manual Sync button on the extension page.

Lookup sources can be either direct links (URLs) to a given lookup or ARLs.

Example JSON lookup: link

Option 1: Publicly available Lookups

Giving the lookup configuration a name, the URL or ARL, and clicking the Save button will create the new lookup source to sync to your lookups.

[github,my-org/my-repo-name/path/to/lookup]

Option 2: Private Lookup Repository

To use a lookup from a private Gihub repository you will need to make use of an Authentication Resource Locator.

Step 1: Create a token in GitHub
In GitHub go to Settings and click Developer settings in the left hand side bar.

Next click Personal access token followed by Generate new token. Select repo permissions and finally Generate token.

Step 2: Connect LimaCharlie to you GitHub Repository
Inside of LimaCharlie, click on Lookup Manager in the left hand menu. Then click Add New Lookup Configuration.

Give your lookup a name and then use the token you generated with the following format linked to your repo.

[github,my-org/my-repo-name/path/to/lookup,token,bfuihferhf8erh7ubhfey7g3y4bfurbfhrb]