Contents x
    Lookups
    • 01 Sep 2023
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Contents

    Lookups

    • Updated on 01 Sep 2023
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Article Summary

    Format

    Lookups are dictionaries/maps/key-value-pairs where the key is a string. The lookup can then be queried by various parts of LimaCharlie (like D&R rules). The value component of a lookup must be a dictionary and represents metadata associated with the given key, which will be returned to the rule using the lookup.

    Lookup data can be ingested by specifying one of the following root keys indicating the format of the lookupd data:

    • lookup_data: represented direct as parsed JSON.
    • newline_content: a string where each key is separated by a newline, LimaCharlie will assume the metadata is empty.
    • yaml_content: a string in YAML format that contains a dictionary with the string keys and dictionary metadata like the lookup_data.

    Permissions

    • lookup.get
    • lookup.set
    • lookup.del
    • lookup.get.mtd
    • lookup.set.mtd

    Command-Line Usage

    Usage

    Example

    {
  "lookup_data": {
    "c:\\windows\\system32\\ping.exe": {
      "mtd1": "known_bin",
      "mtd2": 4
    },
    "c:\\windows\\system32\\ping.exe": {
      "mtd1": "good_val",
      "mtd2": 10
    }
  }
}

    or

    {
  "newline_content": "lvalue1\nlvalue2\nlvalue3"
}
    Was this article helpful?
    What's Next