Splunk Enterprise Security
Highlighted

ES - Correlation Search - Lookup file is not populated

Path Finder

alt text
3 Correlation Searches stating that previouslyseenusersconsolelogins.csv isn't populated:

  • Detect new user AWS Console Login
  • Detect AWS Console Login by User from New Region
  • Detect AWS Console Login by User from New Country

The trimmed down & redacted contents of previouslyseenusersconsolelogins.csv are:

identity,
arn:aws:sts::[account-id]:[assumed-role]/[role-name]/[role-session-name],

I can't find any documentation on how to properly populate this lookup. Any assistance would be greatly appreciated

0 Karma