Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Lookups

 

Use the JSA Lookups Content Extension to closely monitor your Lookups deployment.

JSA Lookups Content Extension V1.0.1

Internal changes with no user impact.

(Back to top)Use the JSA Lookups Content Extension to closely monitor your Lookups deployment.

JSA Lookups Content Extension V1.0.0

The following table shows the custom functions that are new or updated in JSA Lookups Content Extension V1.0.0.

Table 1: Custom Functions in JSA Lookups Content Extension V1.0.0

Name

Description

LOOKUPS::CONTAINS( <URL>, <VALUE>, <HTTP HEADERS> )

Returns TRUE if the VALUE is contained in the data structure that is located at the specified URL. Supports either a plain-text file or a JSON file with an array in it. HTTP HEADERS is a JSON structure that passes in authentication information or other headers, if required.

  • URL--A fully qualified URL that points at the resource to be loaded into the lookup. The URL must be accessible by the JSA Console, and by any JSA event processors and flow processors. The response of the URL retrieval is treated as a text file. Each line in the response is loaded as a value in the lookup.Example: https://192.0.2.0/md5_blacklist.txt

  • VALUE--The value to look for in the lookup. In most situations the value is a property of an event or a flow.Example: File_Hash

  • HTTP HEADERS--A string that contains JSON key-value pairs. Each key-value pair is appended as an HTTP header to the request that fetches the lookup so that you can pass information such as authentication credentials.Example: ‘{“Authorization”:”abcde-abcde-abcde-abcde-abcde”}’

Example:

SELECT sourceIP, destinationIP, username, File_Hash FROM events WHERE LOOKUPS::CONTAINS(‘https://192.0.2.0/md5_blacklist.txt’, File_Hash, ‘{“Authorization”:”abcde-abcde-abcde-abcde-abcde”}’

LOOKUPS::MATCH( <URL>, <VALUE>, <HTTP HEADERS> )

Returns the regular expression that matches if the VALUE matches any of the regular expressions that are contained in the data structure that is located at the specified URL. Supports either a plain-text file or the JSA reference set API. HTTP HEADERS is a JSON structure that passes in authentication information or other headers, if required.

  • URL--A fully qualified URL that points at the resource to be tested. The URL must be accessible by the JSA Console, and by any JSA event processors and flow processors.The response of the URL retrieval can be one of these formats:

    • A plain text file. Each line in the response is loaded as a regular expression in the lookup.

    • A JSON file that contains a single list entry. Each entry in the list is loaded as a regular expression in the lookup.

    • A URL pointing at the JSA reference set API. Each entry in the reference set is loaded as a regular expression in the lookup.

    Example: https://example.com/api/reference_data/sets/url_blacklist

  • VALUE--The value to look for regular expression matches in the lookup. In most situations the value is a property of an event or a flow. Example: URL

  • HTTP HEADERS--A string that contains JSON key-value pairs. Each key-value pair is appended as an HTTP header to the request that fetches the lookup that passes information such as authentication credentials. Example: ‘{“SEC”:”abcde-abcde-abcde-abcde-abcde”}’

Example:

SELECT sourceIP, destinationIP, username, File_Hash FROM events WHERE LOOKUPS::MATCH(‘https://example.com/api/reference_data/sets/url_blacklist’, URL, ‘{“SEC”:”abcde-abcde-abcde-abcde-abcde”}’) IS NOT NULL

LOOKUPS::CIDRLIST( <URL>, <VALUE>, <HTTP HEADERS> )

Returns the matching Classless Inter-Domain Routing (CIDR) if the VALUE matches any of the CIDR expressions that are contained in the data structure that is located at the specified URL. Supports either a plain-text file, or the JSA reference set API. HTTP HEADERS is a JSON structure that passes in authentication information or other headers, if required.

  • URL--A fully qualified URL that points at the resource to be tested. The URL must be accessible by the JSA Console, and by any JSA event processors and flow processors.The response of the URL retrieval can be one of these formats:

    • A plain text file. Each line in the response is loaded as a CIDR expression in the lookup.

    • A JSON file that contains a single list entry. Each entry in the list is loaded as a CIDR expression in the lookup.

    • A URL pointing at the JSA reference set API. Each entry in the reference set is loaded as a CIDR expression in the lookup.

    Example: https://example.com/api/reference_data/sets/cidr_blacklist

  • VALUE--The value to look for CIDR expression matches in the lookup. In most situations the value is a property of an event or a flow that resolves to an IP address. Example: sourceIP

  • HTTP HEADERS--A string that contains JSON key-value pairs. Each key-value pair is appended as an HTTP header to the request that fetches the lookup, that passes information such as authentication credentials. Example: ‘{“SEC”:”abcde-abcde-abcde-abcde-abcde”}’

Example:

SELECT sourceIP, destinationIP, username, File_Hash FROM events WHERE LOOKUPS::CIDRLIST(‘https://example.com/api/reference_data/sets /cidr_blacklist’, sourceIP, ‘{“SEC”:”abcde-abcde-abcde-abcde-abcde”}’) IS NOT NULL

LOOKUPS::MATCH_CSV( <URL>, <INDEX>, <VALUE>, <HTTP HEADERS> )

Returns the matching expression if the VALUE matches any of the regular expressions that are contained in the column referenced by INDEX in the CSV at the specified URL. Supports a CSV file that contains columns, of which one is a regular expression. HTTP HEADERS is a JSON structure that allows you to pass in authentication information or other headers, if required.

  • URL--A fully qualified URL that points at the resource to be loaded into the lookup. The URL must be accessible by the JSA Console, and by any JSA event processors and flow processors. The response of the URL retrieval must be a CSV file. The INDEX field in each row is loaded as a regular expression in the lookup. Example: https://192.0.2.0/blacklist.csv

  • INDEX--The field number of each row that should be loaded into the lookup Example: 2

  • VALUE--The value to look for in the lookup. In most situations the value is a property of an event or a flow. Example: File_Hash

  • HTTP HEADERS--A string that contains JSON key-value pairs. Each key-value pair is appended as an HTTP header to the request that fetches the lookup that passes information such as authentication credentials. Example: ‘{“Authorization”:”abcde-abcde-abcde-abcde-abcde”}’

Example:

SELECT sourceIP, destinationIP, username, File_Hash FROM events WHERE LOOKUPS::MATCH_CSV(‘http://192.0.2.0/blacklist.csv’, 2, userName, ‘{“Authorization”:”abcde-abcde-abcde-abcde-abcde”}’) IS NOT NULL

(Back to top)Use the JSA Lookups Content Extension to closely monitor your Lookups deployment.