Lookup datasets - Administrator Guide - Cortex XDR - Cortex

Lookup datasets - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product

Cortex XDR

Creation date

2024-03-06

Last date published

2025-03-23

Category

Administrator Guide

Abstract

Learn more about lookup datasets to correlate data from a data source with events in your environment.

Lookup datasets enable you to correlate data from a data source you provide with the events in your environment. For example, you can create a lookup with a list of high-value assets, terminated employees, or service accounts in your environment. Use lookups in your search, detection rules, and threat hunting. Lookups are stored as name-value pairs and are cached for optimal query performance and low latency.

Lookup tables support low frequency changes of up to 1200 modifications per day. Changes are implemented whenever a lookup dataset is edited, where only one person can edit the file. Concurrent users editing the file is not supported.

Investigate threats and respond to incidents quickly with the rapid import of IP addresses, file hashes, and other data from CSV files. After you import the data, use lookup name-value pairs for joins and filters in threat hunting and general queries.
Import business data as a lookup. For example, import user lists with privileged system access, or terminated employees. Then, use the lookup to create allowlists and blocklists to detect or prevent those users from logging in to the network.
Create allowlists to suppress alerts from a group of users, such as users from authorized IP addresses that perform tasks that would normally trigger the alert. Prevent benign events from becoming alerts.
Enrich event data. Use lookups to enrich your event data with name-value combinations derived from external data sources.

You can import or create a lookup dataset, and then reference the values for a certain key, run queries and take action. Lookup datasets are created by any of the following methods:

Manual upload from a CSV, TSV, or JSON file to Cortex XDR from the Dataset Management page. For more information, see Import a lookup dataset.
Automatic upload by the Files and Folders Collector.
Query results are saved to a lookup dataset. If saved using the target stage, the Type can be either User or Lookup. For more information, see the target stage in the XQL Language Reference Guide.

After a lookup a dataset is imported, you can always edit the dataset to update the data manually by right-clicking the dataset and selecting Edit.

Note

A lookup dataset can only be deleted if there are no other dependencies. For example, if a Correlation Rule is based on a lookup dataset, you wouldn't be able to delete the lookup dataset until you removed the dataset from the XQL query of the Correlation Rule.