Splunk Enterprise Security

ES - Correlation Search - Lookup file is not populated

wgawhh5hbnht
Communicator

alt text
3 Correlation Searches stating that previously_seen_users_console_logins.csv isn't populated:

  • Detect new user AWS Console Login
  • Detect AWS Console Login by User from New Region
  • Detect AWS Console Login by User from New Country

The trimmed down & redacted contents of previously_seen_users_console_logins.csv are:

identity,
arn:aws:sts::[account-id]:[assumed-role]/[role-name]/[role-session-name],

I can't find any documentation on how to properly populate this lookup. Any assistance would be greatly appreciated

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...