The Salamander method: How to maintain dynamic Splunk Lookups

In this post I describe one important building block detection engineers often rely upon when designing detections and other enrichment use cases.

This topic becomes particularly important when lookups are built from dynamic, ever-changing data. Below are just a few scenarios:

• User accounts and devices enrichment from CMDB/Inventory
• IP address enrichment from DHCP/Endpoint logs
• Baseline Lookups (Anomaly Detection, Behavioral Analytics)