search

splunk / security_content

Splunk Security Content
https://research.splunk.com
Apache License 2.0
1.25k stars 352 forks source link

ESCU - Detect AWS Console Login by User from New City - Rule fails with "The lookup table 'previously_seen_users_console_logins.csv' requires a .csv or KV store lookup definition." #691

Closed kkolli4 closed 3 years ago

kkolli4 commented 3 years ago

The lookup table 'previously_seen_users_console_logins.csv' requires a .csv or KV store lookup definition.

kkolli4 commented 3 years ago

https://csms-6e754x-39942.stg.splunkcloud.com/en-US/app/search/search?q=search%20%60cloudtrail%60%20eventName%3DConsoleLogin%20%7C%20rename%20userIdentity.arn%20as%20user%20%7C%20stats%20earliest(_time)%20as%20firstTime%20latest(_time)%20as%20lastTime%20by%20user%20%7C%20inputlookup%20append%3Dt%20previously_seen_users_console_logins.csv%20%20%7C%20stats%20min(firstTime)%20as%20firstTime%20max(lastTime)%20as%20lastTime%20by%20user%20%7C%20eval%20userStatus%3Dif(firstTime%20%3E%3D%20relative_time(now()%2C%20%22-70m%40m%22)%2C%20%22First%20Time%20Logging%20into%20AWS%20Console%22%2C%22Previously%20Seen%20User%22)%20%7C%20%60security_content_ctime(firstTime)%60%7C%60security_content_ctime(lastTime)%60%7C%20where%20userStatus%20%3D%22First%20Time%20Logging%20into%20AWS%20Console%22%20%20%7C%20%60detect_new_user_aws_console_login_filter%60&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=standard_perf&earliest=0&latest=&display.events.fields=%5B%22host%22%2C%22source%22%2C%22sourcetype%22%2C%22tag%22%2C%22tag%3A%3Aaction%22%2C%22tag%3A%3Aeventtype%22%5D&display.prefs.fieldFilter=tag&display.page.search.tab=statistics&display.general.type=statistics&sid=1601422950.927

kkolli4 commented 3 years ago

![Uploading Screen Shot 2020-09-29 at 4.56.47 PM.png…]()

kkolli4 commented 3 years ago
Screen Shot 2020-09-29 at 4 56 47 PM
patel-bhavin commented 3 years ago

This issue has been fixed in this commit : https://github.com/splunk/security-content/pull/640/commits/b70138ed69ff84945c285b0b482c7b81cdda9f38

Closing the issue