lookup
lookup
Enrich search results with data from lookup tables. Add contextual information by matching fields against external datasets.
Description
The lookup command performs a join between your search results and a lookup table, adding fields from the lookup table to matching events. This is essential for enriching logs with threat intelligence, asset information, user details, or any other contextual data.
Lookup tables are managed through the nano UI and can contain IP reputation data, user mappings, asset inventories, or custom reference data.
Syntax
... | lookup <table_name> <key_field> [OUTPUT <field1>, <field2>, ...] [CASE_INSENSITIVE]Required Arguments
table_name
Name of the lookup table to use. Must be configured in nano.
key_field
Field in your search results to match against the lookup table's key column.
Optional Arguments
OUTPUT
Syntax: OUTPUT <field1>, <field2>, ...
Description: Specific fields to add from the lookup table. If omitted, all fields are added.
CASE_INSENSITIVE
Syntax: CASE_INSENSITIVE
Description: Perform case-insensitive matching on the key field.
Examples
Basic IP enrichment
* | lookup ip_reputation src_ipAdds all fields from the ip_reputation table for matching source IPs.
Specific output fields
* | lookup ip_reputation src_ip OUTPUT threat_score, category, countryAdds only the specified fields from the lookup table.
User information enrichment
* | lookup user_directory user OUTPUT full_name, department, manager
| table user, full_name, department, actionEnriches events with user details from directory.
Asset inventory lookup
* | lookup asset_inventory src_host OUTPUT asset_owner, asset_type, criticality
| where criticality="high"Adds asset information and filters for critical systems.
Threat intelligence
* | lookup threat_intel file_hash OUTPUT malware_family, threat_level, first_seen
| where threat_level="high"Enriches file hashes with threat intelligence.
Case-insensitive matching
* | lookup user_directory user OUTPUT full_name CASE_INSENSITIVEMatches usernames regardless of case.
Multiple lookups
* | lookup ip_reputation src_ip OUTPUT src_threat_score
| lookup ip_reputation dest_ip OUTPUT dest_threat_score
| where src_threat_score > 50 OR dest_threat_score > 50Enriches multiple fields with separate lookups.
Domain categorization
* | lookup domain_categories domain OUTPUT category, risk_level
| stats count() by category, risk_levelCategorizes domains and analyzes distribution.
Vendor mapping
* | lookup vendor_mapping product_id OUTPUT vendor_name, product_name, version
| table product_id, vendor_name, product_nameMaps product IDs to vendor information.
Geographic enrichment
* | lookup geo_ip src_ip OUTPUT country, city, latitude, longitude
| stats count() by countryAdds geographic data for IP addresses.
Priority assignment
* | lookup user_priority user OUTPUT priority_level
| where priority_level="executive"
| table timestamp, user, action, src_ipIdentifies activity from high-priority users.
Service mapping
* | lookup service_catalog dest_port OUTPUT service_name, protocol, description
| table dest_port, service_name, protocolMaps port numbers to service names.
Compliance tagging
* | lookup data_classification file_path OUTPUT classification, retention_period
| where classification="confidential"Tags data with classification levels.
Cost center allocation
* | lookup cost_centers src_host OUTPUT cost_center, business_unit
| stats sum(bytes) by cost_centerAllocates resource usage to cost centers.
Vulnerability correlation
* | lookup vulnerability_db software_version OUTPUT cve_ids, severity, patch_available
| where severity="critical" AND patch_available=trueCorrelates software versions with known vulnerabilities.
Enrich before aggregation
* | lookup ip_reputation src_ip OUTPUT country
| stats count() by country, action
| sort -countEnriches data before aggregating.
Chain with other commands
* | lookup threat_intel file_hash OUTPUT threat_level
| eval risk_score = if(threat_level="high", 100,
if(threat_level="medium", 50, 10))
| where risk_score > 50
| table file_hash, threat_level, risk_score, src_hostUses lookup results in calculations.
Lookup Table Management
Lookup tables are managed through the nano UI:
- Navigate to Settings > Enrichments > Lookup Tables
- Create or upload lookup tables (CSV format)
- Define the key column for matching
- Configure automatic updates if needed
Lookup Table Format
CSV format with headers:
ip_address,threat_score,category,country
192.168.1.100,85,malware,US
10.0.0.50,20,scanner,CNUsage Notes
Performance: Lookups are optimized but can impact performance on very large result sets. Filter data before lookup when possible.
Key matching: The key field must exist in both your search results and the lookup table. Non-matching events are unchanged.
Field conflicts: If a lookup field already exists in your results, it's overwritten by the lookup value.
Null values: Events where the key field is null or empty are not enriched.
Case sensitivity: By default, matching is case-sensitive. Use CASE_INSENSITIVE for case-insensitive matching.
Multiple matches: If the lookup table has duplicate keys, the first match is used.
Missing lookups: If no match is found, the event is unchanged (no fields added).
Automatic enrichment: Some enrichments (like IP geolocation) happen automatically at ingestion time. Use lookup for custom enrichments.
Update frequency: Lookup tables can be configured to update automatically from external sources.
Common Lookup Tables
IP Reputation: Threat scores, categories, known malicious IPs
Geo IP: Country, city, coordinates for IP addresses
User Directory: Employee information, departments, managers
Asset Inventory: System owners, criticality, locations
Threat Intelligence: File hashes, domains, indicators of compromise
Service Catalog: Port to service name mappings
Vendor Mappings: Product IDs to vendor information
Compliance Tags: Data classification, retention policies