![splunk enterprise security download splunk enterprise security download](https://pluralsight.imgix.net/course-images/tuning-creating-correlation-searches-splunk-enterprise-security-v1.png)
The cim_entity_zone in the raw event is only populated in the previously mentioned ways.
![splunk enterprise security download splunk enterprise security download](https://prod.cdn.apps.splunk.com/media/public/screenshots/9cefd514-0489-11eb-bcf9-0a43ef1a907b.png)
The conditional statement has to match a raw event because the entity zone field evaluation happens before the lookup enrichment happens. You can't write a conditional statement to match on a field and value from an automatic lookup.
![splunk enterprise security download splunk enterprise security download](https://slideplayer.com/slide/14262870/89/images/12/Splunk+Enterprise+Security.jpg)
The condition has to match against a raw event field and value, such as: dest = "192.0.2.1", src = "host1", location = "San Jose", and so on.