Lookup Tables

Lookup Tables

Lookup tables feature provides the capability to upload custom data set into Uptycs using API for later reference in event scripts. For example, it can be used for whitelist / blacklist or decoration.


Purpose of this document is to illustrate this capability using the following example - Common Trojan Ports. All files used in this example are attached below.


-- Create tables

$ urestapi -k <api_key> -m POST -a /lookupTables -D tcp_trojan_table.json 


-- Load data

$ urestapi -k <api_key> -m POST -a /lookupTables/<tcp_table_id>/data -D tcp_trojan_table_data.json 


--Enable lookup tables

$ urestapi -k <api_key> -m PUT -a /lookupTables/<tcp_table_id> -D lookup_table_activate.json 


-- Example output


$ urestapi -k ../api_keys/strial.json -m POST -a /lookupTables -D tcp_trojan_table.json 

{

    "active": false,

    "createdAt": "2019-08-22T17:45:39.901Z",

    "createdBy": "7a6de25a-8090-454d-90a2-8e3214fadb2b",

    "customerId": "71e3a781-5c28-4723-854b-81d8920f6e76",

    "description": null,

    "id": "f01ed0f6-abc6-4d94-81b0-cedc65757fed",

    "idField": "port",

    "links": [

        {

            "href": "/api/customers/71e3a781-5c28-4723-854b-81d8920f6e76/lookupTables/f01ed0f6-abc6-4d94-81b0-cedc65757fed",

            "rel": "self",

            "title": "Lookup table information"

        },

        {

            "href": "/api/customers/71e3a781-5c28-4723-854b-81d8920f6e76/lookupTables",

            "rel": "parent",

            "title": "Lookup tables information"

        }

    ],

    "name": "tcp_port_trojan",

    "rowCount": 0,

    "updatedAt": "2019-08-22T17:45:39.901Z",

    "updatedBy": "7a6de25a-8090-454d-90a2-8e3214fadb2b"

}


$ urestapi -k ../api_keys/strial.json -m POST -a /lookupTables/f01ed0f6-abc6-4d94-81b0-cedc65757fed/data -D tcp_trojan_table_data.json 

{

    "failedRows": [],

    "successCount": 93

}


$ urestapi -k ../api_keys/strial.json -m PUT -a /lookupTables/f01ed0f6-abc6-4d94-81b0-cedc65757fed -D lookup_table_activate.json 

{

    "active": true,

    "createdAt": "2019-08-22T17:45:39.901Z",

    "createdBy": "7a6de25a-8090-454d-90a2-8e3214fadb2b",

    "customerId": "71e3a781-5c28-4723-854b-81d8920f6e76",

    "description": null,

    "id": "f01ed0f6-abc6-4d94-81b0-cedc65757fed",

    "idField": "port",

    "name": "tcp_port_trojan",

    "rowCount": 93,

    "updatedAt": "2019-08-22T17:54:00.222Z",

    "updatedBy": "7a6de25a-8090-454d-90a2-8e3214fadb2b"

}



Modifying data in existing lookup tables

  • Additional data can be loaded (inserted) into lookup tables using POST command.
  • Data cannot be updated / deleted from an existing lookup table. This can be achieved by creating a lookup table with the same name, loading data into the new lookup table and activating the same. This automatically results in deletion of lookup table created earlier.


    • Related Articles

    • File Carving

      File carving provides forensic ability for security analysts to retrieve part or all of one or more files from customer endpoints. By default file carving is disabled. Customers will have to explicitly configure flags profile with disable_carver set ...