topic Re: Using a different email address to send email responses using adaptive response action in Splunk Enterprise Security

Using a different email address to send email responses using adaptive response action

shiv1593 — Wed, 26 Dec 2018 16:10:34 GMT

Hi All,

I have a use case where I want to send replies using a separate email address than the default address of Splunk. What I'm trying to achieve is :

I have a sourcetype, and from its logs I have a field called "User email"
I want to send individual automatic responses to the email addresses present in the field.
The default email id for my Splunk solution is abc_splunk@mycompany.com. But I do not want to send the replies using this email address. I want to use informationawareness@mycompany.com.
I would like to use informationawareness@mycompany.com for this particular set of data "User email" and the sourcetype only. All the other emails should go using the default id abc_splunk@mycompany.com.
I have the basic SMTP settings for the mailbox server of informationawareness@mycompany.com.
I want to know in which configuration files do I have to make the change in order to achieve my goal.

Any help will be highly appreciated.
Thank you

Re: Using a different email address to send email responses using adaptive response action

p_gurav — Thu, 27 Dec 2018 05:24:24 GMT

Hi,

try using sendemail command with custom from.

Re: Using a different email address to send email responses using adaptive response action

shiv1593 — Thu, 27 Dec 2018 07:35:08 GMT

Hi p_gurav,

Tried that. Doesn't work. I guess it has something to do with the configuration of the mail I'm trying to use. Unless I open the port on my search head and the mailbox server, and establish the basic SMTP connection, I won't be able to use it. Just wanted to figure out where should I put those SMTP settings in Splunk, I mean inside which configuration file. And how ill that stanze be designed in order to get it executed.

Re: Using a different email address to send email responses using adaptive response action

p_gurav — Tue, 29 Sep 2020 22:32:32 GMT

Is SMTP servers for abc_splunk@mycompany.com and informationawareness@mycompany.com is different? Normally splunk used alert_actions.conf for storing this configurations.

Re: Using a different email address to send email responses using adaptive response action

harsmarvania57 — Thu, 27 Dec 2018 11:48:04 GMT

If you use Splunk Web then click on Settings->Saved Searches-> <Alert Name>-> Edit -> Advanced Edit and override action.email.from, by default Defaults to splunk@<LOCALHOST> (or whatever is set in alert_actions.conf).

Re: Using a different email address to send email responses using adaptive response action

shiv1593 — Thu, 27 Dec 2018 12:36:39 GMT

Yes, both of them have different SMTP relay servers. I thought about the alert_actions.conf file, just am not sure on how to edit it to use just for this particular alert, and leave the default ID for the rest of the things.

Re: Using a different email address to send email responses using adaptive response action

shiv1593 — Thu, 27 Dec 2018 12:43:21 GMT

Hi Harsh,

Tried that. Doesn't work since the SMTP server and settings of the mail id that I want trigger the alert from, informationawareness@mycompany.com, are different. From what I figure, I may need to specify the settings of the mail ID within my search head, so that Splunk reads and uses it for this particular alert, which is giving me the field "User email", and use the email addresses present inside the field and reply to them individually. I want all of the other emails going from Splunk using the default ID itself.

Re: Using a different email address to send email responses using adaptive response action

harsmarvania57 — Thu, 27 Dec 2018 12:46:03 GMT

So based on your comment, I am assuming that you are running single schedule search which has User Email field and you want to send email to all those email id but you want different from email address for certain users(email id) only ??

Re: Using a different email address to send email responses using adaptive response action

shiv1593 — Tue, 29 Sep 2020 22:32:42 GMT

Correct. I am running a scheduled search, which triggers conditions per event, picks out an email address from the User email field, and sends it a pre-drafted email. It does the same for all the email addresses which are produced when the search runs. But for this particular search, I want to use a different "from email address", which would be informationawareness@mycompany.com, instead of the default email address of Splunk, which in my case is abc_splunk@mycompany.com. I want all of my other searches to use the default email address of splunk, which is abc_splunk@mycompany.com, like they are doing as of now.

Re: Using a different email address to send email responses using adaptive response action

p_gurav — Fri, 28 Dec 2018 04:05:17 GMT

Hi shiv1593,

Give try to this with ;

sendemail command where you can specify multiple from and different SMTP servers:

| sendemail from="informationawareness@mycompany.com" server=(SMTP server host)

Note: Make sure the connectivity between splunk server and SMTP server

Edit savedsearches.conf and specify action.email.mailserver attribute to this saved search.

Re: Using a different email address to send email responses using adaptive response action

harsmarvania57 — Fri, 28 Dec 2018 09:04:21 GMT

Can you please share your alert_actions.conf and savedsearch.conf for that particular search (Please mask/alter any sensitive data) from Search Head?

Re: Using a different email address to send email responses using adaptive response action

shiv1593 — Fri, 28 Dec 2018 10:31:03 GMT

Hi p_gurav,

This seems intriguing. I will try and implement this and let you know my findings.

Thank you very much

Re: Using a different email address to send email responses using adaptive response action

lakshman239 — Wed, 09 Jan 2019 17:01:25 GMT

If you are using Splunk ES and adaptive response of the Email, one approach [ not a clean one] would be to have 1 correlation search for specific host for informationawareness and another correlation search for rest of them and update the action.email.mailserver, it should still work.

Re: Using a different email address to send email responses using adaptive response action

shiv1593 — Tue, 29 Sep 2020 23:07:26 GMT

Hi Harsh,

Sorry for such a delay in response. Here is the savedsearch.conf.

[My_Search] action.email = 1 action.email.include.search = 1 action.email.include.view_link = 0 action.email.inline = 1 action.email.sendcsv = 1 action.email.sendpdf = 1 action.email.sendresults = 1 action.email.to = senders action.email.useNSSubject = 1 action.keyindicator.invert = 0 action.makestreams.param.verbose = 0 action.nbtstat.param.verbose = 0 action.notable.param.verbose = 0 action.nslookup.param.verbose = 0 action.ping.param.verbose = 0 action.risk.param.verbose = 0 action.threat_add.param.verbose = 0 alert.track = 0
Here is the alert_actions.conf
[name of the alert]
from=splunk@localhost.com
to=$user_email$
subject="My subject as mentioned in the alert"
sendresults=1
inline=1
priority=5
mailserver=local mail server:port number as defined
sendpdf=1
sendcsv=1