Lookup datasets - Administrator Guide - Cortex XDR - Cortex

Lookup datasets - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product

Cortex XDR

License

Pro

Creation date

2024-02-26

Last date published

2024-04-21

Category

Administrator Guide

Abstract

Learn more about lookup datasets to correlate data from a data source with events in your environment.

Lookup datasets enable you to correlate data from a data source you provide with the events in your environment. For example, you can create a lookup with a list of high-value assets, terminated employees, or service accounts in your environment. Use lookups in your search, detection rules, and threat hunting. Lookups are stored as name-value pairs and are cached for optimal query performance and low latency.

Investigate threats and respond to incidents quickly with the rapid import of IP addresses, file hashes, and other data from CSV files. After you import the data, use lookup name-value pairs for joins and filters in threat hunting and general queries.
Import business data as a lookup. For example, import user lists with privileged system access, or terminated employees. Then, use the lookup to create allowlists and blocklists to detect or prevent those users from logging in to the network.
Create allowlists to suppress alerts from a group of users, such as users from authorized IP addresses that perform tasks that would normally trigger the alert. Prevent benign events from becoming alerts.
Enrich event data. Use lookups to enrich your event data with name-value combinations derived from external data sources.

You can import or create a lookup dataset, and then reference the values for a certain key, run queries and take action. Lookup datasets are created by any of the following methods:

Manual upload from a CSV, TSV, or JSON file to Cortex XDR from the Dataset Management page. For more information, see Import a lookup dataset.
Automatic upload by the Files and Folders Collector.
Query results are saved to a lookup dataset. If saved using the target stage, the Type can be either User or Lookup. For more information, see the target stage in the XQL Language Reference Guide.

After a lookup a dataset is imported, you can always edit the dataset to update the data manually by right-clicking the dataset and selecting Edit.