Guides

Prerequisites

Before you start

Suggest Edits

Replay is a structured analysis platform that requires user authentication. There are two types of user accounts:

  • Instructor/Trainer Account
    • Grants full permissions to upload telemetry, create scenarios, and build structured workbooks.
    • Can also act as an analyst—viewing and completing workbook analysis during replays.
    • Required for generating sanitized scenario datasets and managing replay content.
  • Analyst Account
    • Can participate in replays, view scenarios assigned to them, and complete workbook analysis.
    • Cannot create or upload new scenarios.

💡 To begin, you must have a valid login credential for one of these accounts.

Access to a HEC-Compatible SIEM

Replay operates by sending sanitized log data through a HTTP Event Collector (HEC) pipeline, mimicking live event flow. For this to function:

  • You must have access to a HEC-compatible SIEM.
    • Currently, Fluency SIEM is the primary system supported.
    • However, Replay can forward data to any SIEM that supports HEC ingestion.
  • You must be able to configure a HEC endpoint in your SIEM:
    • URL – The base endpoint where logs will be posted.
    • Token – The authentication token used to post data to the SIEM.

Additional Setup for Instructors

If you are setting up Replay as an Instructor/Trainer, you will need:

  • Fluency Base URL – The endpoint used for accessing Fluency’s processing grid.
  • Grid Account Name (optional) – If you are working in a multi-tenant (MSSP) environment.
  • Access Token – Used to connect to the SIEM and send sanitized data.

These values are used to populate your Replay profile, enabling secure scenario upload and integration with the Fluency backend.

Updated 25 days ago