The Salamander method: How to maintain dynamic Splunk Lookups
Published in
5 min readSep 5, 2023
In this post I describe one important building block detection engineers often rely upon when designing detections and other enrichment use cases.
This topic becomes particularly important when lookups are built from dynamic, ever-changing data. Below are just a few scenarios:
- User accounts and devices enrichment from CMDB/Inventory
- IP address enrichment from DHCP/Endpoint logs
- Baseline Lookups (Anomaly Detection, Behavioral Analytics)