Lookups

Returns TRUE if the VALUE is contained in the data structure that is located at the specified URL. Supports either a plain-text file or a JSON file with an array in it. HTTP HEADERS is a JSON structure that passes in authentication information or other headers, if required.

URL

A fully qualified URL that points at the resource to be loaded into the lookup. The URL must be accessible by the QRadar Console, and by any QRadar event processors and flow processors.

The response of the URL retrieval is treated as a text file. Each line in the response is loaded as a value in the lookup.

Example: https://192.0.2.0/md5_blacklist.txt

VALUE

The value to look for in the lookup. In most situations the value is a property of an event or a flow.

Example: File_Hash

HTTP HEADERS

A string that contains JSON key-value pairs. Each key-value pair is appended as an HTTP header to the request that fetches the lookup so that you can pass information such as authentication credentials.

Example: ‘{“Authorization”:”abcde-abcde-abcde-abcde-abcde”}’

Example:

SELECT sourceIP, destinationIP, username, File_Hash
FROM events
WHERE LOOKUPS::CONTAINS(‘https://192.0.2.0/md5_blacklist.txt’, File_Hash, 
‘{“Authorization”:”abcde-abcde-abcde-abcde-abcde”}’ 

Returns the regular expression that matches if the VALUE matches any of the regular expressions that are contained in the data structure that is located at the specified URL. Supports either a plain-text file or the QRadar reference set API. HTTP HEADERS is a JSON structure that passes in authentication information or other headers, if required.

URL

A fully qualified URL that points at the resource to be tested. The URL must be accessible by the QRadar Console, and by any QRadar event processors and flow processors.

The response of the URL retrieval can be one of these formats:

• A plain text file. Each line in the response is loaded as a regular expression in the lookup.
• A JSON file that contains a single list entry. Each entry in the list is loaded as a regular expression in the lookup.
• A URL pointing at the QRadar reference set API. Each entry in the reference set is loaded as a regular expression in the lookup.

Example: https://example.com/api/reference_data/sets/url_blacklist

VALUE

The value to look for regular expression matches in the lookup. In most situations the value is a property of an event or a flow.

Example: URL

HTTP HEADERS

A string that contains JSON key-value pairs. Each key-value pair is appended as an HTTP header to the request that fetches the lookup that passes information such as authentication credentials.

Example: ‘{“SEC”:”abcde-abcde-abcde-abcde-abcde”}’

Example:

SELECT sourceIP, destinationIP, username, File_Hash
FROM events
WHERE LOOKUPS::MATCH(‘https://example.com/api/reference_data/sets/url_blacklist’, 
URL, ‘{“SEC”:”abcde-abcde-abcde-abcde-abcde”}’)
IS NOT NULL 

Returns the matching Classless Inter-Domain Routing (CIDR) if the VALUE matches any of the CIDR expressions that are contained in the data structure that is located at the specified URL. Supports either a plain-text file, or the QRadar reference set API. HTTP HEADERS is a JSON structure that passes in authentication information or other headers, if required.

URL

A fully qualified URL that points at the resource to be tested. The URL must be accessible by the QRadar Console, and by any QRadar event processors and flow processors.

The response of the URL retrieval can be one of these formats:

• A plain text file. Each line in the response is loaded as a CIDR expression in the lookup.
• A JSON file that contains a single list entry. Each entry in the list is loaded as a CIDR expression in the lookup.
• A URL pointing at the QRadar reference set API. Each entry in the reference set is loaded as a CIDR expression in the lookup.

Example: https://example.com/api/reference_data/sets/cidr_blacklist

VALUE

The value to look for CIDR expression matches in the lookup. In most situations the value is a property of an event or a flow that resolves to an IP address.

Example: sourceIP

HTTP HEADERS

A string that contains JSON key-value pairs. Each key-value pair is appended as an HTTP header to the request that fetches the lookup, that passes information such as authentication credentials.

Example: ‘{“SEC”:”abcde-abcde-abcde-abcde-abcde”}’

Example:

SELECT sourceIP, destinationIP, username, File_Hash
FROM events
WHERE LOOKUPS::CIDRLIST(‘https://example.com/api/reference_data/sets 
/cidr_blacklist’, sourceIP, ‘{“SEC”:”abcde-abcde-abcde-abcde-abcde”}’)
IS NOT NULL 

Returns the matching expression if the VALUE matches any of the regular expressions that are contained in the column referenced by INDEX in the CSV at the specified URL. Supports a CSV file that contains columns, of which one is a regular expression. HTTP HEADERS is a JSON structure that allows you to pass in authentication information or other headers, if required.

URL

A fully qualified URL that points at the resource to be loaded into the lookup. The URL must be accessible by the QRadar Console, and by any QRadar event processors and flow processors.

The response of the URL retrieval must be a CSV file. The INDEX field in each row is loaded as a regular expression in the lookup.

Example: https://192.0.2.0/blacklist.csv

INDEX

The field number of each row that should be loaded into the lookup

Example: 2

VALUE

The value to look for in the lookup. In most situations the value is a property of an event or a flow.

Example: File_Hash

HTTP HEADERS

A string that contains JSON key-value pairs. Each key-value pair is appended as an HTTP header to the request that fetches the lookup that passes information such as authentication credentials.

Example: ‘{“Authorization”:”abcde-abcde-abcde-abcde-abcde”}’

Example:

SELECT sourceIP, destinationIP, username, File_Hash
FROM events
WHERE LOOKUPS::MATCH_CSV(‘http://192.0.2.0/blacklist.csv’, 2, userName, 
‘{“Authorization”:”abcde-abcde-abcde-abcde-abcde”}’)
IS NOT NULL