Dashboard
Account 🔐
Sign Up
Login
Global Leaderboard
Game Vault
Badge Backpack
Blue Team Glossary
Login and start playing
Leaving so soon?
×
You really want to log out? We were having so much fun!
Home
›
Glossary
›
Kusto
›
lookup
Lookup
Kusto
Definition
The `lookup` operator in Kusto Query Language (KQL) is used to enrich a dataset by adding columns from another table based on a matching key. It works similarly to a simplified join, allowing you to quickly map additional context—such as user details, asset information, or threat intelligence—to your primary dataset. Unlike a full `join`, `lookup` is optimized for scenarios where one table (typically smaller) acts as a reference table. It automatically matches rows based on a specified column and appends the corresponding values, making queries simpler and often more performant for enrichment tasks.
Related Terms
Join
Examples & Use Cases
``` SecurityEvents | lookup Users on UserId ``` If SecurityEvents contains: UserId: 1001 UserId: 1002 And Users contains: UserId: 1001, Name: Alice UserId: 1002, Name: Bob The result will include: UserId: 1001, Name: Alice UserId: 1002, Name: Bob The `Name` column is added to the original dataset based on the matching `UserId`. --- ## Enriching with Threat Intelligence ``` SigninLogs | lookup ThreatIntel on IPAddress ``` This can be used to append threat intelligence data (such as reputation or risk score) to authentication logs, helping analysts quickly identify suspicious connections. --- ## Using Different Column Names ``` SecurityEvents | lookup kind=leftouter Users on $left.AccountId == $right.UserId ``` This allows matching on columns with different names while preserving all records from the left table. --- ## Filtering After Lookup ``` SigninLogs | lookup ThreatIntel on IPAddress | where ThreatLevel == "High" ``` After enrichment, you can filter based on the newly added columns. --- ## Why it matters Many security datasets lack context on their own. The `lookup` operator allows analysts to quickly enrich raw data with meaningful information: * Adds identity, asset, or threat intelligence context to logs * Simplifies queries compared to full joins * Improves readability and performance for enrichment scenarios * Enables faster investigation and decision-making For blue teams, `lookup` is especially useful in detection engineering and threat hunting, where correlating multiple data sources is essential to understanding suspicious activity. --- ## Further Reading * [Microsoft Learn - lookup operator](https://learn.microsoft.com/en-us/kusto/query/lookup-operator)
.png)
