Splunk Enterprise Security

ES - Correlation Search - Lookup file is not populated


alt text
3 Correlation Searches stating that previously_seen_users_console_logins.csv isn't populated:

  • Detect new user AWS Console Login
  • Detect AWS Console Login by User from New Region
  • Detect AWS Console Login by User from New Country

The trimmed down & redacted contents of previously_seen_users_console_logins.csv are:


I can't find any documentation on how to properly populate this lookup. Any assistance would be greatly appreciated

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!