Users can create their own public or private lookup by creating an Add-on. Creating a lookup Add-on enables you to create a list IPs, domain names or hashes that you can use as part of D&R rules.
When created publicly Add-ons are available to be used by other members of the community and are available in the Add-ons section. When created privately Add-ons are restricted to rules in organizations the creator is a member of.
Lookups support a few structures.
Newline-separated values.
JSON dictionary where keys are the elements of the lookup and the values are the metadata associated.
YAML dictionary where keys are the elements of the lookup and the values are the metadata associated.
OTX JSON Pulse.
MISP JSON Feed.
Details on optimized structures can be found here.
Create an Add-on
Add-ons can be created from the Add-ons view accessible in the upper right menu of the web application.
Once on the Add-ons view click on Published in the left-hand menu which will open the following dialogue.
Fill in the fields. Once you select a Category you will be presented with the lookup specific configuration. There are three ways you can define your lookup source as follows.
The actual lookup content. For example, a list of bad domain names.
As a URL callback, where your data is a URL like https://www.my.data or https://www.mydata/threat-feed.json.
As an Authenticated Resource Locator (ARL) (the preferred method)
For simplicity in this example we are going to demonstrate a URL callback.
