Skip to content

Adaptive lookups

Adaptive lookups empower TeskaLabs LogMan.io event processing components such as LogMan.io Parsec, LogMan.io Correlator, and LogMan.io Alerts with the capability to automatically update lookups for real-time data enrichment using rules.

Custom rules can dynamically add or remove entries from these lookups based on the insights gleaned from incoming logs or other events. This ensures that your threat detection and response strategies remain agile, accurate, and aligned with the ever-changing cyber threat landscape, providing an essential layer of intelligence to your security operations.

Triggers

The lookup content is manipulated by a specific entry in the trigger section of the declaration.

It means that it can create (set), increment (add), decrement (sub), and remove (delete) an entry in the lookup.

The entry is identified by a key, which is a unique primary key.

Example of a trigger that adds an entry to the lookup user_list:

 trigger:
  - lookup: user_list
    key: !ITEM EVENT user.name
    set:
      event.created: !NOW
      foo: bar

Example of a trigger that removes an entry from the lookup user_list:

 trigger:
  - lookup: user_list
    delete: !ITEM EVENT user.name

Example of a trigger that increments a counter (field my_counter) in the entry of the lookup user_list:

 trigger:
  - lookup: user_list
    key: !ITEM EVENT user.name
    add: my_counter

Example of a trigger that decrements a counter (field my_counter) in the entry of the lookup user_list:

 trigger:
  - lookup: user_list
    key: !ITEM EVENT user.name
    sub: my_counter

For both add and sub, the counter field name can be omitted. Hence the default attribute _counter will be used implicitly:

 trigger:
  - lookup: user_list
    key: !ITEM EVENT user.name
    sub:

If the counter field does not exist, it is created with the default value of 0.

Note

Lookup entries can be accessed from the declarative expressions by !GET and !IN entries.