Working with Lookup Table Data

The following sections are available. For information on importing Lookup Table Data APIs, refer to the latest Integration API Guide.

Usage Notes: Lookup table data may not be immediately available for Rules and Reports. Supervisor pushes the Lookup table changes to the Supervisor Redis database once every 5 minutes. Supervisor Master Redis immediately pushes the data to the Worker Slave Redis databases. Rule, Report and Query modules on Supervisor and Worker nodes re-read the Lookup tables from local Redis database, once every 5 minutes. Therefore in the worst case, it may take 10 minutes for data to be propagated to the analytics modules. Rules and Reports using Lookup tables should show the correct results after 10 minutes (worst case). In practice, FortiSIEM will have the results show up between 5 and 10 minutes.

• Adding Lookup Table Data

• Deleting Lookup Table Data

• Editing Lookup Table Data

• Importing Lookup Table Data

Note: A maximum of 10 million entries is allowed before the rest of the data is truncated.

Adding Lookup Table Data

To add Lookup table data to your Lookup table, take the following steps:

1. From the RESOURCES > Lookup Tables page, select your Lookup table.

2. Click View.

3. Click New.

4. Enter the Key or Column data.

5. Click Save.

Deleting Lookup Table Data

1. From the RESOURCES > Lookup Tables page, select your Lookup table.

2. Click View.

3. Select the row of data you wish to delete.

4. Click Delete.

5. Click Yes to confirm.

Editing Lookup Table Data

To edit Lookup table data in your Lookup table, take the following steps:

1. From the RESOURCES > Lookup Tables page, select your Lookup table.

2. Click View.

3. Select the row you wish to edit.

4. Click Edit.

5. Enter the new Key or Column data.

6. Click Save.

Importing Lookup Table Data

You can import lookup table data from user-defined lookup tables or from a system-defined lookup table.

Note: System-defined lookup table data can only be imported via Report.

To import Lookup table data from a Lookup table, take the following steps:

1. From the RESOURCES > Lookup Tables page, select the Lookup table you wish to import.

2. Click Import.

From the Import window, select one of the following depending on the Lookup table type (user or system defined) and continue with the instructions that follow.

User-defined Lookup Table Data

• Import from a CSV file
• Update via API
• Import via Report

System-defined Lookup Table Data

• Import System Defined Lookup Table Data via Report

Importing from a CSV File

If Import from a CSV file is selected, take the following steps:

1. Click Choose File, and select your CSV file.

2. In the Field Separator field, select the character that represents your separator for data.

3. In the Field Quote Char field, select the character that represents the beginning and end quotation used for strings.

4. Select Ignore Header to ignore the header from your CSV file.

5. Click the Mapping edit icon to define your data with your schema.

   1. From the Mapped Field drop-down list, select the key or column.

   2. From the Position drop-down list, select the position of the data from the csv file that should map to the key or column.

   3. Click + to create a new row.

   4. Click Save when done mapping your data.

6. Click Save.

Update via API

If Update via API is selected, take the following steps:

1. In the URL field, enter the API URL endpoint.

2. In the User field, enter the user name to access the API endpoint.

3. In the Password field, enter the password to access the API endpoint.

4. In the Field Separator, enter the character that represents your separator for data.

5. In the Mapping field, click the edit icon and take the following steps:

   1. From the Mapped Field drop-down list, select an existing mapping to set its position.

   2. From the Position drop-down list, select the position of the data from the csv file that should map to the key or column.

   3. Click + to add a new row for any additional mapping that is needed.

   4. Click Save when done mapping your data.

6. In the Schedule field, set the time which the update should occur by doing the following:

   1. In the Start Time field, set the time.

   2. In the Schedule Recurrence Pattern, set the period.

   3. Click OK when done.

7. Click Save.

Import via Report

If Import via Report is selected, take the following steps:

1. Click the Report edit icon.

2. Select a Report or CMDB Report, and click OK.
   

3. Click the Mapping edit icon.

4. From the Mapping dialog box, take the following steps:

   1. From the Mapped drop-down list, select an existing mapping to set its position.

   2. In the Attribute field, select or type the associated attribute to use.

   3. Click + to add a new row for any additional mapping that is needed.

   4. Click Save when done mapping your data.

5. Click the Enabled checkbox to configure a schedule.

6. Click the Schedule edit icon.

7. In the Schedule Report Time Range dialog box, do the following:

   1. In the Time Zone row, select the appropriate time from the drop-down lists.

   2. Select Relative or Absolute time, and then enter the information for period of time for recurrence.

   3. From the Trend Interval drop-down list, select the period of recurrence.

   4. Click Next.

8. In the Schedule Time Range dialog box, do the following:

   1. Enter the scheduling information using the Start Time fields/drop-down list.

   2. Under Schedule Recurrence Pattern, enter/select when the schedeul repeats.

   3. Under Schedule Recurrence Range, enter the Start date.

   4. Under Schedule Recurrence Range, choose/enter the time that the schedule ends.

   5. Click Next.

9. In the Schedule Retention dialog box, do the following:

   1. Under Retention, enter/choose the period of time for retaining reports.

   2. Click OK.

10. Click Save to save the Schedule configuration.

11. Click Run now to import the data.

Import System Defined Lookup Table Data via Report

If Import via Report is selected for a system-defined Lookup table, take the following steps:

1. Click the Enabled checkbox to configure a schedule.

2. Click the Schedule edit icon.

3. In the Schedule Report Time Range dialog box, do the following:

   1. In the Time Zone row, select the appropriate time from the drop-down lists.

   2. Select Relative or Absolute time, and then enter the information for period of time for recurrence.

   3. From the Trend Interval drop-down list, select the period of recurrence.

   4. Click Next.

4. In the Schedule Time Range dialog box, do the following:

   1. Enter the scheduling information using the Start Time fields/drop-down list.

   2. Under Schedule Recurrence Pattern, enter/select when the schedeul repeats.

   3. Under Schedule Recurrence Range, enter the Start date.

   4. Under Schedule Recurrence Range, choose/enter the time that the schedule ends.

   5. Click Next.

5. In the Schedule Retention dialog box, do the following:

   1. Under Retention, enter/choose the period of time for retaining reports.

   2. Click OK.

6. Click Save to save the Schedule configuration.

7. Click Run now to import the data.