Splunk Enterprise Security

ES - Correlation Search - Lookup file is not populated

wgawhh5hbnht
Communicator

alt text
3 Correlation Searches stating that previously_seen_users_console_logins.csv isn't populated:

  • Detect new user AWS Console Login
  • Detect AWS Console Login by User from New Region
  • Detect AWS Console Login by User from New Country

The trimmed down & redacted contents of previously_seen_users_console_logins.csv are:

identity,
arn:aws:sts::[account-id]:[assumed-role]/[role-name]/[role-session-name],

I can't find any documentation on how to properly populate this lookup. Any assistance would be greatly appreciated

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!