Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Don't have "sse_host_to_country" AND "gdpr_user_category" lookup file in search

zksvc
Path Finder
‎09-02-2024 08:05 PM

Hi Community,

I got trouble when want to activate Use Case "User Login to Unauthorized Geo" it said Error because it said i don't have "sse_host_to_country" and "gdpr_user_category" lookup data. 

In this case im using ES Content Updates v 4.0.0 but i have my labs with ES Content Updates 4.38.0 but when i check it it don't have any sse_host_to_country OR gdpr_user_category lookup files. Already searching it in google and i don't have any answer. Maybe this community have enough experience about this. 

Thanks 

zksvc_1-1725332486029.png

 

zksvc_0-1725332113120.png

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

zksvc
Path Finder
‎09-08-2024 05:50 PM

Thankyou for your information, so i create that csv like this for sse_host_to_country :
host,country
host1.example.com,Japan
host2.example.com,Malaysia
host3.example.net,Australia
host4.example.org,Singapore

 

And this for gdpr_user_category :

user,category
user1@example.com,User
user2@example.com,Admin
user3@example.com,PowerUser
user4@example.com,User

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-04-2024 02:19 AM

These are lookups you should have defined based on your own environment (probably populated by user/asset management). The idea here is that you want to find if someone from - for example - US branch of your company doesn't log to Germany-based servers. And how anyone except you should know which hosts are in Germany and which users work in US?

0 Karma
Reply
Solved! Jump to solution

zksvc
Path Finder
‎09-04-2024 03:49 AM

Could you please give me Format that lookup ? 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-04-2024 04:03 AM

You can infer from the search itself which fields you need present. You need "dest" and "country" fields in the sse_host_to_country lookup and "user" and "countries" fields in the gdpr_user_category lookup (and the "countries" field can contain multiple values separated with the pipe character).

Reply
Solved! Jump to solution
Solution

zksvc
Path Finder
‎09-08-2024 05:50 PM

Thankyou for your information, so i create that csv like this for sse_host_to_country :
host,country
host1.example.com,Japan
host2.example.com,Malaysia
host3.example.net,Australia
host4.example.org,Singapore

 

And this for gdpr_user_category :

user,category
user1@example.com,User
user2@example.com,Admin
user3@example.com,PowerUser
user4@example.com,User

Reply
Solved! Jump to solution

zksvc
Path Finder
‎09-04-2024 01:07 AM

Anyone here ?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...