SecureWatch Lookup Tables User Guide v2.1.0ΒΆ
π Documentation Navigation: Main README | Quick Start | Data Ingestion | KQL Guide
OverviewΒΆ
The SecureWatch SIEM Lookup Tables system provides enterprise-grade data enrichment capabilities similar to Splunkβs lookup functionality, with modern enhancements for cybersecurity use cases. This guide covers everything from basic CSV uploads to advanced API integrations and search-time enrichment.
Table of ContentsΒΆ
Getting StartedΒΆ
Accessing Lookup TablesΒΆ
Navigate to Settings β Knowledge Objects β Lookups in the SecureWatch interface:
http://localhost:4000/settings/knowledge/lookups
Key ConceptsΒΆ
Lookup Table: A CSV file uploaded as a searchable database table
Key Field: The primary field used for lookups (e.g., IP address, username)
Enrichment: Automatic addition of fields to search results
External Lookup: API-based enrichment from external services
Uploading CSV Lookup TablesΒΆ
Step-by-Step Upload ProcessΒΆ
Prepare Your CSV File
Ensure first row contains column headers
Use consistent data formatting
Maximum file size: 50MB
Supported delimiters: comma, semicolon, tab, pipe
Upload Interface
Click βUpload CSVβ button
Select your CSV file
Configure upload options
Configuration Options
Key Field: The primary lookup field (required) Description: Optional description for the table Tags: Comma-separated tags for organization Delimiter: Character separating CSV values Has Header: Whether first row contains headers
Example CSV StructureΒΆ
ip_address,country,city,threat_level,last_seen
192.168.1.1,United States,New York,Low,2025-01-05
203.0.113.1,Unknown,Unknown,Critical,2025-01-04
8.8.8.8,United States,Mountain View,Safe,2025-01-05
Automatic Field DetectionΒΆ
The system automatically detects field types:
Type |
Detection Pattern |
Example |
|---|---|---|
IP Address |
IPv4/IPv6 format |
|
Contains @ symbol |
|
|
URL |
HTTP/HTTPS format |
|
Date |
ISO format |
|
Number |
Numeric values |
|
Boolean |
True/false values |
|
String |
Default fallback |
Any text |
Managing Lookup TablesΒΆ
Table OverviewΒΆ
The main interface displays:
Table Statistics: Record count, file size, last used
Status Indicators: Active/inactive status
Performance Metrics: Query count, cache hit rate
Actions: View, cache clear, delete
Table OperationsΒΆ
Viewing Table DetailsΒΆ
Click the eye icon to view:
- Field definitions and sample values
- Usage statistics
- Recent query performance
Cache ManagementΒΆ
Click the refresh icon to clear cached lookups
Useful after updating external data sources
Cache clears automatically after 5 minutes
Testing LookupsΒΆ
Use the Test Lookup tab to validate your data:
1. Select a lookup table
2. Enter a key value to search for
3. Specify return fields (optional)
4. View the lookup result
Search-Time EnrichmentΒΆ
Automatic EnrichmentΒΆ
Enrichment happens automatically during KQL searches when enabled:
// Search with enrichment enabled
const response = await fetch('/api/v1/search/execute', {
method: 'POST',
body: JSON.stringify({
query: 'Events | where src_ip contains "192.168"',
enrichment: {
enabled: true,
externalLookups: true
}
})
});
Enrichment ResultsΒΆ
Enriched search results include:
Additional Fields: New columns from lookup tables
Enrichment Metadata: Statistics about applied rules
Performance Info: Lookup count and processing time
Example enriched result:
{
"columns": [
{"name": "timestamp", "type": "datetime"},
{"name": "src_ip", "type": "ip"},
{"name": "geo_country", "type": "string", "enriched": true},
{"name": "threat_level", "type": "string", "enriched": true}
],
"enrichment": {
"applied": true,
"statistics": {
"appliedRules": ["ip-geolocation", "threat-intel"],
"totalLookups": 45,
"processingTime": 234
}
}
}
External API IntegrationΒΆ
Pre-configured APIsΒΆ
SecureWatch includes built-in support for:
1. VirusTotal IP LookupΒΆ
Purpose: IP reputation and threat intelligence
Fields: reputation, country, as_owner
Rate Limit: 500 requests/day (free tier)
2. AbuseIPDBΒΆ
Purpose: IP abuse confidence and geolocation
Fields: abuse_confidence, country_code, usage_type
Rate Limit: 1000 requests/day (free tier)
3. IPStack GeolocationΒΆ
Purpose: IP geolocation and ISP information
Fields: country, region, city, latitude, longitude
Rate Limit: 10,000 requests/month (free tier)
Custom API ConfigurationΒΆ
Create custom API lookups via the management interface:
{
"name": "Custom Threat Feed",
"baseUrl": "https://api.threatfeed.com/lookup",
"apiKey": "your-api-key",
"queryParams": {
"ip": "{value}",
"format": "json"
},
"fieldMapping": {
"input": "ip",
"output": {
"threat_score": "score",
"classification": "type",
"confidence": "confidence"
}
},
"rateLimit": {
"requests": 100,
"window": 3600
},
"cacheTTL": 3600
}
Enrichment RulesΒΆ
Rule ConfigurationΒΆ
Enrichment rules define how data is automatically added to search results:
{
"name": "IP Geolocation Enrichment",
"sourceField": "src_ip",
"lookupTable": "ip_geolocation",
"lookupKeyField": "ip_address",
"outputFields": [
{
"sourceField": "country",
"outputField": "geo_country",
"defaultValue": "Unknown"
},
{
"sourceField": "city",
"outputField": "geo_city",
"transform": "capitalize"
}
],
"conditions": [
{
"field": "event_type",
"operator": "contains",
"value": "network"
}
],
"priority": 100,
"isActive": true
}
Rule ComponentsΒΆ
Source FieldΒΆ
The field in your data to use for lookups (e.g., src_ip, username)
Output FieldsΒΆ
Define how lookup results map to enriched fields:
sourceField: Field from lookup table
outputField: New field name in results
defaultValue: Value when lookup fails
transform: Data transformation (uppercase, lowercase, trim, capitalize)
ConditionsΒΆ
Optional conditions to apply rules only when criteria are met:
equals: Exact match
contains: Substring match
startsWith: Prefix match
endsWith: Suffix match
regex: Regular expression match
PriorityΒΆ
Lower numbers = higher priority (rules applied in order)
Performance & AnalyticsΒΆ
Statistics DashboardΒΆ
Monitor lookup performance via the Statistics tab:
Usage MetricsΒΆ
Total Queries (24h): Number of lookups performed
Cache Hit Rate: Percentage of queries served from cache
Average Response Time: Mean query execution time
Error Rate: Percentage of failed lookups
Top TablesΒΆ
View most frequently used lookup tables:
Query count per table
Last usage timestamp
Performance trends
Optimization TipsΒΆ
IndexingΒΆ
Key fields are automatically indexed
Additional indexes created on common lookup fields
Up to 3 secondary indexes per table
Caching StrategyΒΆ
Cache Duration: 5 minutes (configurable)
Cache Storage: Redis
Cache Keys: lookup:{table}:{key}:{value}
Eviction: LRU with TTL
Batch ProcessingΒΆ
Large CSV files processed in 1000-record batches
Progress tracking during upload
Automatic error recovery
Sample Data & Use CasesΒΆ
Pre-loaded Lookup TablesΒΆ
SecureWatch includes sample data for common use cases:
1. IP Geolocation (ip_geolocation)ΒΆ
ip_address,country,city,latitude,longitude
8.8.8.8,United States,Mountain View,37.3860517,-122.0838511
1.1.1.1,Australia,Sydney,-33.8688197,151.2092955
Use Case: Enrich network events with geographic context
2. User Directory (user_directory)ΒΆ
username,department,title,risk_score,manager
john.doe,IT Security,Security Analyst,25,jane.smith
jane.smith,IT Security,CISO,15,ceo
Use Case: Add organizational context to authentication events
3. Asset Inventory (asset_inventory)ΒΆ
hostname,criticality,owner,environment,cost_center
web-server-01,High,alice.johnson,Production,IT-001
db-server-01,Critical,mike.brown,Production,IT-001
Use Case: Enhance host-based events with asset information
4. Threat Intelligence (threat_intel_ips)ΒΆ
ip_address,threat_type,confidence,severity,source
203.0.113.1,C2 Server,95,Critical,Threat Feed A
198.51.100.50,Scanning,75,High,Internal Detection
Use Case: Correlate network activity with known threats
Common Enrichment ScenariosΒΆ
Network SecurityΒΆ
Events
| where event_type == "firewall_block"
| lookup ip_geolocation src_ip as ip_address
| lookup threat_intel_ips src_ip as ip_address
Result: Firewall blocks enriched with geolocation and threat intelligence
User Behavior AnalyticsΒΆ
Events
| where event_type == "authentication"
| lookup user_directory user_name as username
Result: Authentication events enriched with user department and risk scores
Asset ManagementΒΆ
Events
| where event_type == "host_activity"
| lookup asset_inventory hostname as hostname
Result: Host events enriched with asset criticality and ownership
Best PracticesΒΆ
Data PreparationΒΆ
CSV FormattingΒΆ
β
Use consistent date formats (ISO 8601)
β
Include descriptive column headers
β
Handle missing values explicitly
β
Remove special characters from key fields
β
Use UTF-8 encoding
Key Field SelectionΒΆ
β
Choose fields with high uniqueness
β
Use normalized formats (lowercase, trimmed)
β
Consider multiple key fields for complex lookups
β
Validate key field data quality
Performance OptimizationΒΆ
Table Size ManagementΒΆ
Small Tables (< 1K records): Fast in-memory caching
Medium Tables (1K - 100K): Optimal for most use cases
Large Tables (> 100K): Consider data archival strategies
Query OptimizationΒΆ
β
Use specific return fields vs. SELECT *
β
Implement caching for frequently accessed data
β
Monitor query performance regularly
β
Archive old or unused tables
Security ConsiderationsΒΆ
Data SensitivityΒΆ
β οΈ Avoid uploading sensitive personal data
β οΈ Use data masking for production environments
β οΈ Implement access controls on sensitive tables
β οΈ Regular audit of uploaded data
API SecurityΒΆ
β
Store API keys securely
β
Use rate limiting to prevent abuse
β
Monitor external API usage
β
Implement retry logic with backoff
TroubleshootingΒΆ
Common Upload IssuesΒΆ
Large File Upload FailuresΒΆ
Problem: Upload timeout or memory errors
Solution:
- Split large files into smaller chunks
- Increase upload timeout settings
- Use streaming upload for very large files
Field Type Detection ErrorsΒΆ
Problem: Incorrect automatic type detection
Solution:
- Clean data before upload
- Use consistent formatting
- Manually verify field types after upload
Duplicate Key ErrorsΒΆ
Problem: Duplicate entries in key field
Solution:
- Remove duplicates from source CSV
- Choose a different key field
- Use composite keys if necessary
Performance IssuesΒΆ
Slow Lookup QueriesΒΆ
Diagnosis:
1. Check cache hit rate in statistics
2. Review query patterns and frequency
3. Analyze database index usage
Solutions:
- Increase cache TTL
- Add additional indexes
- Optimize query patterns
High Memory UsageΒΆ
Diagnosis:
1. Monitor Redis memory usage
2. Check for cache overflow
3. Review table sizes
Solutions:
- Implement cache eviction policies
- Reduce cache TTL for large tables
- Archive unused data
API Integration IssuesΒΆ
External API FailuresΒΆ
Common Causes:
- Rate limit exceeded
- Invalid API keys
- Network connectivity issues
- API service downtime
Solutions:
- Implement exponential backoff
- Monitor API quotas
- Use fallback data sources
- Cache API responses longer
Field Mapping ErrorsΒΆ
Problem: API response fields not mapping correctly
Solution:
- Validate API response structure
- Update field mapping configuration
- Test with sample API responses
API ReferenceΒΆ
REST EndpointsΒΆ
Upload Lookup TableΒΆ
POST /api/lookup-tables
Content-Type: multipart/form-data
file: CSV file
keyField: Primary lookup field
description: Optional description
tags: Comma-separated tags
Query Lookup TableΒΆ
GET /api/lookup-tables/query?table={name}&keyField={field}&keyValue={value}
POST /api/lookup-tables/query
{
"single": true,
"tableName": "ip_geolocation",
"keyField": "ip_address",
"keyValue": "8.8.8.8"
}
Search with EnrichmentΒΆ
POST /api/v1/search/execute
{
"query": "Events | limit 100",
"enrichment": {
"enabled": true,
"rules": ["ip-geolocation"],
"externalLookups": false
}
}
Configuration ManagementΒΆ
Enrichment RulesΒΆ
GET /api/search/enrich?action=rules
POST /api/enrichment-rules
PUT /api/enrichment-rules/{id}
DELETE /api/enrichment-rules/{id}
External API ConfigsΒΆ
GET /api/lookup-tables/external-apis
POST /api/lookup-tables/external-apis
PUT /api/lookup-tables/external-apis?id={id}
DELETE /api/lookup-tables/external-apis?id={id}
Enterprise Lookup Tables - Advanced data enrichment for SecureWatch SIEM π