You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/cse/records-signals-entities-insights/configure-entity-lookup-table.md
+17-8Lines changed: 17 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -26,25 +26,34 @@ In addition, in some systems a user or a host has both a name and a unique ID, t
26
26
*`d8ece0f8-10a4-3c62-b8a3-2e636a3a0509`
27
27
*`testk-122.testlabs.local`
28
28
29
-
Multiple identifiers for the same user or host are a problem when it comes to correlating Signals around a common Entity: unless you allow for all permutations of a username or hostname, your rule or search won’t function as intended with all data sources.
29
+
Multiple identifiers for the same user or host are a problem when it comes to correlating Signals around a common Entity. Unless you allow for all permutations of a username or hostname, your rule or search won’t function as intended with all data sources.
30
+
31
+
### Examples of when you create Lookup Tables
32
+
33
+
Following are some examples of situations when you'd want to use Entity Lookup Tables:
34
+
* CrowdStrike FDR data uses an agent ID (AID) instead of a hostname for some messages.
35
+
* Mail Transfer Agent (MTA) systems report usernames in an email format.
36
+
* Your users have different login names on different systems (for example, Windows, Linux, and AWS).
37
+
38
+
### How does an Entity Lookup Table work?
30
39
31
40
An Entity Lookup Table defines two sets of values: a lookup value to look for in an incoming message and a substitution value. You can create Entity Lookup Tables to support the following types of normalization:
32
41
33
42
***Host ID to Normalized Hostname**
34
43
***User ID to Normalized Username**
35
44
***Username to Normalized Username**
36
45
37
-
Entity Lookup Tables are based on Sumo Logic’s Lookup Tables feature. Here is an example of a **Host ID to Normalized Hostname** Lookup Table in the Sumo Logic Library:
46
+
Entity Lookup Tables are based on Sumo Logic’s [Lookup Tables](/docs/search/lookup-tables/) feature. Here is an example of a **Host ID to Normalized Hostname** Lookup Table in the Sumo Logic Library:
You can configure a maximum of five Entity Lookup Tables.
52
+
Before you configure a Lookup Table in Cloud SIEM, you must [create the Lookup Table](/docs/search/lookup-tables/create-lookup-table/) in the Sumo Logic platform. There are a variety of ways to create a Lookup Table.
44
53
45
-
##Creating a Lookup Table
54
+
### Limitations
46
55
47
-
Before you configure a Lookup Table in Cloud SIEM, you must create the Lookup Table in the Sumo Logic platform. There are a variety of ways to create a Lookup Table.
56
+
You can configure a maximum of five Entity Lookup Tables.
48
57
49
58
### Populate table from inventory data
50
59
@@ -56,11 +65,11 @@ This method–the typical way to populate a Lookup Table for the purpose of Enti
56
65
57
66
If you already have a Lookup Table that contains normalization data, you can configure it in Cloud SIEM. Or, if you have existing normalization data that is not currently in a Lookup Table you can create a Lookup Table with that data. Note that your Lookup Table must contain a field that contains a lookup value and one that contains a substitution value. There is no requirement for particular column names.
58
67
59
-
For instructions, see the Create a Lookup Table topic. After creating the table, perform the steps in [Configure the Lookup Table in Cloud SIEM](#configure-the-lookup-table-in-cloud-siem), below.
68
+
For instructions, see [Create a Lookup Table](/docs/search/lookup-tables/create-lookup-table/). After creating the table, perform the steps in [Configure the Lookup Table in Cloud SIEM](#configure-the-lookup-table-in-cloud-siem), below.
60
69
61
70
### Configure the Lookup Table in Cloud SIEM
62
71
63
-
After you’ve created your Entity Lookup Table in the Sumo Logic Library, you can configure it in Cloud SIEM.
72
+
After you've [created your Entity Lookup Table](/docs/search/lookup-tables/create-lookup-table/) in the Sumo Logic Library, you can configure it in Cloud SIEM.
64
73
65
74
1.[**Classic UI**](/docs/cse/introduction-to-cloud-siem/#classic-ui). In the top menu select **Configuration**, and then under **Entities** select **Normalization**. <br/>[**New UI**](/docs/cse/introduction-to-cloud-siem/#new-ui). In the top menu select **Configuration**, and then under **Cloud SIEM Entities** select **Normalization**. You can also click the **Go To...** menu at the top of the screen and select **Normalization**.
66
75
1. On the **Entity Normalization** page, click **Lookup Tables**.
Copy file name to clipboardExpand all lines: docs/search/lookup-tables/create-lookup-table.md
+9-6Lines changed: 9 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,18 +6,21 @@ description: Learn about lookup tables and how to create and manage them.
6
6
7
7
import useBaseUrl from '@docusaurus/useBaseUrl';
8
8
9
-
This section has instructions for creating and and managing Lookup Tables using the Sumo Logic UI.
9
+
This section has instructions for creating Lookup Tables using the Sumo Logic UI.
10
10
11
-
:::tip
12
-
You can also use the [Lookups API](https://api.sumologic.com/docs/#tag/lookupManagement) to create and manage Lookup Tables.
13
-
:::
14
-
15
-
For information about updating, exporting, and sharing Lookup Tables, see [Manage and Update Lookup Tables](manage-update-lookup-tables.md).
11
+
For additional articles about lookup tables, see the following:
12
+
* To update, export, and share Lookup Tables, see [Manage and Update Lookup Tables](manage-update-lookup-tables.md).
13
+
* To configure a Lookup Table for use in Cloud SIEM, see [Configure an Entity Lookup Table](/docs/cse/records-signals-entities-insights/configure-entity-lookup-table/).
14
+
* To populate a Lookup Table with Cloud SIEM inventory data, see [Save Inventory Data to a Lookup Table](/docs/cse/administration/save-inventory-data-lookup-table/).
16
15
17
16
:::note
18
17
New Lookup Tables are available in all deployments except Sumo Logic's Montreal deployment, pending AWS providing a required AWS service in the Montreal region.
19
18
:::
20
19
20
+
:::tip
21
+
You can also use the [Lookups API](https://api.sumologic.com/docs/#tag/lookupManagement) to create and manage Lookup Tables.
22
+
:::
23
+
21
24
## Introduction to Lookup Tables
22
25
23
26
A Lookup Table is a table of data hosted on Sumo Logic that you can use to enrich the log data received by Sumo Logic. For example, in a Sumo Logic log search, you'd refer to a Lookup Table of user account data to map the user ID in an incoming log to a row in the Lookup Table, and return other attributes of that user, for instance, email address or phone number. The fields you look up appear as part of your search results.
0 commit comments