Prerequisites

Replay is a structured analysis platform that requires user authentication. There are two types of user accounts:

• Instructor/Trainer Account
  • Grants full permissions to upload telemetry, create scenarios, and build structured workbooks.
  • Can also act as an analyst—viewing and completing workbook analysis during replays.
  • Required for generating sanitized scenario datasets and managing replay content.
• Analyst Account
  • Can participate in replays, view scenarios assigned to them, and complete workbook analysis.
  • Cannot create or upload new scenarios.

💡 To begin, you must have a valid login credential for one of these accounts.

Access to a HEC-Compatible SIEM

Replay operates by sending sanitized log data through a HTTP Event Collector (HEC) pipeline, mimicking live event flow. For this to function:

• You must have access to a HEC-compatible SIEM.
  • Currently, Fluency SIEM is the primary system supported.
  • However, Replay can forward data to any SIEM that supports HEC ingestion.
• You must be able to configure a HEC endpoint in your SIEM:
  • URL – The base endpoint where logs will be posted.
  • Token – The authentication token used to post data to the SIEM.

Additional Setup for Instructors

If you are setting up Replay as an Instructor/Trainer, you will need:

• Fluency Base URL – The endpoint used for accessing Fluency’s processing grid.
• Grid Account Name (optional) – If you are working in a multi-tenant (MSSP) environment.
• Access Token – Used to connect to the SIEM and send sanitized data.

These values are used to populate your Replay profile, enabling secure scenario upload and integration with the Fluency backend.