Guides

Prerequisites

Before you start

Suggest Edits

Replay is a structured analysis platform that requires user authentication. There are two types of user accounts:

  • Instructor/Trainer Account
    • Grants full permissions to upload telemetry, create scenarios, and build structured workbooks.
    • Can also act as an analyst—viewing and completing workbook analysis during replays.
    • Required for generating sanitized scenario datasets and managing replay content.
  • Analyst Account
    • Can participate in replays, view scenarios assigned to them, and complete workbook analysis.
    • Cannot create or upload new scenarios.

💡 To begin, you must have a valid login credential for one of these accounts.

Access to a HEC-Compatible SIEM

Replay operates by sending sanitized log data through a HTTP Event Collector (HEC) pipeline, mimicking live event flow. For this to function:

  • You must have access to a HEC-compatible SIEM.
    • Currently, Fluency SIEM is the primary system supported.
    • However, Replay can forward data to any SIEM that supports HEC ingestion.
  • You must be able to configure a HEC endpoint in your SIEM:
    • URL – The base endpoint where logs will be posted.
    • Token – The authentication token used to post data to the SIEM.

Additional Setup for Instructors

If you are setting up Replay as an Instructor/Trainer, you will need:

  • Fluency Base URL – The endpoint used for accessing Fluency’s processing grid.
  • Grid Account Name (optional) – If you are working in a multi-tenant (MSSP) environment.
  • Access Token – Used to connect to the SIEM and send sanitized data.

These values are used to populate your Replay profile, enabling secure scenario upload and integration with the Fluency backend.

Updated 8 days ago