I have an alert that is configured to trigger on the event of an account lockout. It is a very simple alert that looks like this:
index=wineventlog sourcetype=WinEventLog:Security EventCode=4740 | stats count by user Caller_Computer_Name
This displays an easy to read table with the username of the locked out account, the computer that the lockout came from, and a count of lockouts.
Currently, I have a trigger action set to email our Access Admins when a lockout occurs. However, in addition to that, I would like an email to be sent to the particular user that generated the lockout event. In order to do this, there are a few manipulations that need to be done.
In our domain, some usernames are appended with "-fa" and some aren't. I would only like to send emails to the accounts that are appended with "-fa". For example, if an account is locked out for the user "steve-fa" then I would like to send an email to that user informing him that his account has been locked out. In order to do so, I have to tell Splunk to remove the "-fa" and replace it with "@company.com" and then use "steve@company.com" as the email address.
Is this possible? If so, would it be configured in the alert wizard or would it be contained in the search using the sendmail feature?
Thank you in advance for any help!
How is your user getting the email if he/she is locked out of his/her account....? 😉
you can try like below
index=wineventlog sourcetype=WinEventLog:Security EventCode=4740 | stats count by user Caller_Computer_Name | eval user_new = user | rex field=user_new mode=sed "s/\S+(-fa)/\S+@company.comf/g" | sendemail to=$user_new$,$user$ rest of query.
I hope it helps
This is so close. I am using the following string but there is something wrong.
index=wineventlog sourcetype=WinEventLog:Security EventCode=4740 | stats count by user Caller_Computer_Name |eval user_new=user | rex field=user_new mode=sed "s/\S+(-*a)/\S+@company.com/g" | sendemail to=$user_new$ server=mail.company.com subject="Your " $user$ "account has been locked out!" message="Splunk has detected that your account has been locked out. Please contact Access Admins for assistance." sendresults=false
The first $ in "sendemail to=$user_new$" is red. Splunk is not picking up the email address to send to.
The rex command should be | rex field=user_new mode=sed "s/(\S+)(-fa)/\1@company.comf/g"
.
I believe the rex command might still be a little off. It still does not like the variable "$user_new$". When I replace it with my own email it works. Here is the command as of now:
index=wineventlog sourcetype=WinEventLog:Security EventCode=4740 | eval user_new=user |rex field=user_new mode=sed "s/(\S+)(-fa)1/@company.comf/g" | sendemail to=$user_new$ server=mail.company.com subject="Your account has been locked out!" message="Splunk has detected that the account shown below has been locked out. Please contact Access Admins for assistance." sendresults=true inline=true format=raw