Lookup Lists Overview

Important

This page contains information for Distributed Cloud AIP organizations that have migrated to the new Managed Rules functionality. Early access to the new Rules page is available now. Please contact your Customer Success team to request access. For more information, see Managed Rules: More Details.

Lookup lists allow you to reuse a set of values (such as usernames or IP addresses) across rules, filters, and suppressions in your organization. You can use F5 Distributed Cloud App Infrastructure Protection (AIP)’s centrally managed lookup lists and/or create custom lookup lists that are specific to your organization’s needs.

For more information, see Manage Lookup Lists.

Access Lookup Lists
  1. Log into Distributed Cloud AIP.
  2. In the left navigation pane, click Rules. The Rules page displays.
  3. Open the rule drawer of any rule in the rule list.
    access-LLs.png

  4. On the Select a data set to view menu, select Lookup Lists from the dropdown menu. The available lookup lists in your organization display.
    select-lookup-lists.png

Note

You can view all available lookup lists from the rule drawer of any rule in your organization.

Types of Lookup Lists

Managed Lookup Lists

Distributed Cloud AIP centrally manages lookup lists that you can use in your organization without handling maintenance or management on your end. You cannot edit the display name, variable name, or values of a managed lookup list.

For more information, see Insert Lookup Lists into Filters and Suppressions.

Example:

If you build a rule that flags known malicious IP addresses, you can use the Distributed Cloud AIP-managed list of bad actor IP addresses with the @AIP_AWSIPRanges list tag.

The MANAGED label indicates a Distributed Cloud AIP-managed lookup list. Managed lookup list variable (@) names are prepended with “AIP_” (Example: @AIP_AWSIPRanges).

managed-ll-example.png

Unmanaged Lookup Lists

You can create custom lookup lists that are not managed by Distributed Cloud AIP with values that are specific to your organization’s needs. When you modify a custom lookup list in one location, those changes apply to all rules using that list, so that you can more easily update and maintain rule filters and suppressions.

For more information, see Insert Lookup Lists into Filters and Suppressions.

Example:

unmanaged-example.png

Search for Events Using Lookup Lists

You can insert a managed or unmanaged lookup list into a search on the Events page to refine the search query. For more information about event search query language, see Supported Keys and Operators.

Note

The lookup list variable (@) name is case sensitive.

Example

Using an unmanaged lookup list with the variable name @inactive_users that includes the values “root” and “one”, a search query in the Events tab for user in @inactive_users returns all events where the user is “root” OR “one”:

search-ll-example.png

overview-search-result.png

Was this article helpful?
0 out of 0 found this helpful