Manage Lookup Lists

Important

This page contains information for Distributed Cloud AIP organizations that have migrated to the new Managed Rules functionality. Early access to the new Rules page is available now. Please contact your Customer Success team to request access. For more information, see Managed Rules: More Details.

Lookup lists allow you to reuse a set of values (such as usernames or IP addresses) across rules, filters, and suppressions in your organization. You can use F5 Distributed Cloud App Infrastructure Protection (AIP)’s centrally managed lookup lists and/or create custom lookup lists that are specific to your organization’s needs.

For more information, see Lookup Lists Overview.

Create an Unmanaged Lookup List

You can create custom lookup lists with values that are specific to your organization’s needs.

  1. On the Rules page, open the details drawer of any rule.
    rule-drawer.png

  2. On the Select a data set to view menu, select Lookup Lists from the dropdown menu. A chart of available lookup lists in your organization displays.

  3. Click the + Add Lookup Lists button. A new row for your lookup list displays in the chart.
    add-lookup-list.png

  4. Enter a display name for the lookup list.
  5. Enter a Variable Name for the lookup list.
    • The variable name must be unique.

    • Distributed Cloud AIP automatically adds the @ symbol to the beginning of the variable name after you create the list. You do not need to add it manually when you type the list name.

  6. Enter the List Values for the lookup list. Separate each value with a comma. (Example: 1, 2, 3, a, b).
    • These values can contain special characters, including spacescreate-list-values.png
  7. Press the Enter key. The lookup list creates.

Note

Once you create the list, you cannot change the variable name, but you can edit the display name and list values. See the Edit an Unmanaged Lookup List section below.

Insert Lookup Lists into Filters and Suppressions

You can insert both managed and unmanaged lookup lists into rule filters and suppressions using the following format: @<variablename>. For more information about filter and suppression query language, see Supported Keys and Operators.

Note

The lookup list variable (@) name is case sensitive.

Example Rule Filter

event_type = "login" and user in @AIP_AWSIPRanges

In this rule filter, @AIP_AWSIPRanges represents a managed lookup list in the organization. The rule looks for IP addresses on a watch list attempting to log into the infrastructure.

example-rule-filter.png

Example Rule Suppression

event_type = "login" and user in @inactive_users

In this rule suppression, @inactive_users represents an unmanaged lookup list in the organization. When this suppression is attached, the rule does not alert if users on the list attempt to log into the infrastructure.

example-suppression.png

Edit an Unmanaged Lookup List

Note

You cannot change the variable (@) name of a list once it is created.

To edit an existing unmanaged lookup list’s display name or list values:

  1. On the Rules page, open the details drawer of any rule.
    rule-drawer.png

  2. On the Select a data set to view menu, select Lookup Lists from the dropdown menu. A chart of available lookup lists in your organization displays.

  3. On the unmanaged lookup list to edit, double click on the text to change.

  4. Type the new display name and/or list values.
    edit-lookup-list.png

  5. Press the Enter key. The changes to your lookup list save.
Delete an Unmanaged Lookup List

Deleting an unmanaged lookup list permanently deletes it from your organization.

Note

You cannot delete a managed lookup list from your organization.

  1. On the Rules page, open the details drawer of any rule.
    rule-drawer.png

  2. On the Select a data set to view menu, select Lookup Lists from the dropdown menu. The chart of available lookup lists in your organization displays.

  3. Select the unmanaged lookup list to delete.

  4. Click the trash can icon.

  5. On the Delete selected row? popup, click Delete. The lookup list deletes permanently.
    delete-list.png

Was this article helpful?
0 out of 0 found this helpful