Lookup Manager
  • 22 Oct 2024
  • 3 Minutes to read
  • Contributors
  • Dark
    Light

Lookup Manager

  • Dark
    Light

Article summary

The Lookup Manager Extension allows you to create, maintain & automatically refresh lookups in the Organization to then reference them in Detection & Response Rules.

The saved Lookup Configurations can be managed across tenants using Infrastructure as Code extension. To manage lookup versions across all of your tenants, update the file under the original Authenticated Resource Locator.

Every 24 hours, LimaCharlie will sync all of the lookups in the configuration. Lookups can also be manually synced by clicking the Manual Sync button on the extension page. When a lookup configuration is added, it will not be automatically synced immediately, unless you click on Manual Sync.

Lookup sources can be either direct links (URLs) to a given lookup or ARLs.

Example JSON lookup: link

Usage

Option 1: Preconfigured Lookups

LimaCharlie provides a curated list of several publicly available JSON lookups for use within your organization. These are provided in the lookup manager GUI.

More details and the contents of each of these lookups can be found here.

Option 2: Publicly available Lookups

Giving the lookup configuration a name, the URL or ARL, and clicking the Save button will create the new lookup source to sync to your lookups.

[github,my-org/my-repo-name/path/to/lookup]

Option 3: Private Lookup Repository

To use a lookup from a private Gihub repository you will need to make use of an Authentication Resource Locator.

Step 1: Create a token in GitHub
In GitHub go to Settings and click Developer settings in the left hand side bar.

Next click Personal access token followed by Generate new token. Select repo permissions and finally Generate token.

Step 2: Connect LimaCharlie to you GitHub Repository
Inside of LimaCharlie, click on Lookup Manager in the left hand menu. Then click Add New Lookup Configuration.

Give your lookup a name and then use the token you generated with the following format linked to your repo.

[github,my-org/my-repo-name/path/to/lookup,token,bfuihferhf8erh7ubhfey7g3y4bfurbfhrb]

Infrastructure as Code

Example:

hives:
    extension_config:     
        ext-lookup-manager:
            data:
                lookup_manager_rules:
                    - arl: ""
                      format: json
                      name: tor
                      predefined: '[https,storage.googleapis.com/lc-lookups-bucket/tor-ips.json]'
                      tags:
                        - tor
                    - arl: ""
                      format: json
                      name: talos
                      predefined: '[https,storage.googleapis.com/lc-lookups-bucket/talos-ip-blacklist.json]'
                      tags:
                        - talos
            usr_mtd:
                enabled: true
                expiry: 0
                tags: []
                comment: ""


Was this article helpful?