{"id":20827651,"url":"https://github.com/bonifield/lookup_tables","last_synced_at":"2026-03-19T17:42:39.630Z","repository":{"id":212220913,"uuid":"272461327","full_name":"bonifield/lookup_tables","owner":"bonifield","description":"a collection of useful CSVs","archived":false,"fork":false,"pushed_at":"2025-01-26T22:16:53.000Z","size":243,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-12-26T10:05:26.039Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bonifield.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-06-15T14:31:07.000Z","updated_at":"2025-01-26T22:16:57.000Z","dependencies_parsed_at":"2025-03-12T07:37:43.010Z","dependency_job_id":null,"html_url":"https://github.com/bonifield/lookup_tables","commit_stats":null,"previous_names":["bonifield/lookup_tables"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/bonifield/lookup_tables","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bonifield%2Flookup_tables","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bonifield%2Flookup_tables/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bonifield%2Flookup_tables/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bonifield%2Flookup_tables/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bonifield","download_url":"https://codeload.github.com/bonifield/lookup_tables/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bonifield%2Flookup_tables/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30517787,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-14T19:51:21.629Z","status":"ssl_error","status_checked_at":"2026-03-14T19:51:12.959Z","response_time":57,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-17T23:12:36.708Z","updated_at":"2026-03-14T21:08:09.290Z","avatar_url":"https://github.com/bonifield.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Lookup Tables\n\n### A collection of various useful lookup tables for Splunk, or any other program that can parse CSVs (Python, Excel, etc). Lookups provide an easy way to enrich your data by using a separate file to add context to your logs.\n\n### Regarding Splunk lookups, here is [official Splunk lookup documentation](https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/DefineanautomaticlookupinSplunkWeb), this one from [Hurricane Labs](https://www.hurricanelabs.com/blog/splunk-enterprise-security-automatic-identity-lookup-tables-using-active-directory-ldap), or follow the steps below:\n- Settings --\u003e Lookups\n\t- Lookup table files --\u003e Add new\n\t\t- upload the table, provide the name of the file as it will appear in Splunk (just use the same name AND INCLUDE THE EXTENSION)\n\t- Lookup definitions --\u003e Add new\n\t\t- select the app (likely Search), set the name (same as the CSV name, MINUS the extension, or with _definition suffix), File-based, select the lookup added in the previous step\n\t\t- Advanced options --\u003e un-check \"Case sensitive match\"\n\t- Automatic lookups --\u003e Add new\n\t\t- set the name, select the lookup definition (again, based on the file uploaded), set the sourcetype to be affected\n\t\t- input field: left is the name inside the CSV/definition, right is field name CURRENTLY in the Splunk database. This is how the CSV joins/aligns itself to Splunk data.\n\t\t- output field: left is the name inside the CSV/definition, right is field name as it WILL appear in Splunk query results\n\n### The general naming convention, with few exceptions, is *type*_*field-name-as-seen-in-Splunk*_table.csv\n\n### TO DO:\n- Get all of the lists!\n\n### Lookup Tables\n- dns_record_types.csv\n\t- DNS record types from [Wikipedia](https://en.wikipedia.org/wiki/List_of_DNS_record_types)\n- html_link_dict.dictionary\n\t- collection of HTML tags and attributes known to contain links (though some may contain other objects); not all-inclusive; used by [extractlinks](https://github.com/bonifield/extractlinks) as \"link_dict\"\n- mitre_attack_v7_table.csv\n\t- [MITRE ATT\u0026CK framework](https://attack.mitre.org/) v7, including sub-techniques\n\t- updated 2020-07-29\n- network_http_status.csv\n\t- for HTTP codes, from [Splunk documentation](https://wiki.splunk.com/Http_status.csv)\n\t- useful for Zeek or any other log type where HTTP status codes are found\n- sysmon_EventCode_table.csv\n\t- for [Sysmon event codes](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)\n- windows_EventCode_table.csv\n\t- Windows 7/Vista/8/10, Windows Server 2008/2012R2/2016/2019\n\t- sources: [Ultimate Windows Security](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/), [Andrea Fortuna](https://www.andreafortuna.org/2019/06/12/windows-security-event-logs-my-own-cheatsheet/)\n- windows_EventCode_table_old-XP-2000-2003.csv\n\t- Windows 2000/XP and Windows Server 2003\n\t- sources: [Ultimate Windows Security](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/), [Andrea Fortuna](https://www.andreafortuna.org/2019/06/12/windows-security-event-logs-my-own-cheatsheet/)\n- windows_ControlAccessRights_table.csv\n\t- sources: [MS-ADTS 5.1.3.2.1 Control Access Rights](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1522b774-6464-41a3-87a5-1e5633c3fbbb), [Access Control Entry definition](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_b581857f-39aa-4979-876b-daba67a40f15)\n- windows_Impersonation_Level_table.csv\n\t- for COM impersonation levels, seen in Windows Security logs, from [Microsoft](https://docs.microsoft.com/en-us/windows/win32/com/impersonation-levels) documentation\n- windows_Logon_Type_table.csv\n\t- collection of Windows logon types, seen in Windows Security logs, from [Microsoft](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc787567(v=ws.10)) documentation\n- windows_ProcessSpecificAccessRights_table.csv\n\t- describes Windows process-specific access rights; useful for investigating Sysmon event code 10, \"Process Access\"\n\t- sources: [Microsoft](https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights?redirectedfrom=MSDN), [Roberto Rodriguez](https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html)\n- windows_system_error_codes_table.csv\n\t- collection of Windows error codes, from [Microsoft](https://docs.microsoft.com/en-us/windows/win32/debug/system-error-codes) documentation\n- wlan_frame_types.csv\n\t- types (management, control, data, extension) and subtypes (probe request, response, etc)\n\t- source: [Wikipedia](https://en.wikipedia.org/wiki/802.11_Frame_Types)\n\t- note: if using Python and Scapy, use zfill if desired: ```type = str(bin(pkt.type)[2:].zfill(2))``` ```subType = str(bin(pkt.subtype)[2:].zfill(4))```\n- wlan_frame_types.dictionary\n\t- a Python dictionary version of [wlan_frame_types.csv](https://github.com/bonifield/lookup_tables/blob/master/wlan_frame_types.csv)\n\t- optionally use ```typeName = types[type][\"description\"]``` ```subTypeName = types[type][\"subtype\"][subType][\"description\"]``` if also using the above type/subType variables\n- zeek_conn_state_table.csv\n\t- a for Zeek's [conn_state](https://docs.zeek.org/en/current/scripts/base/protocols/conn/main.zeek.html) field\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbonifield%2Flookup_tables","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbonifield%2Flookup_tables","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbonifield%2Flookup_tables/lists"}