Alerting
Highlighted

How to send an email to the user that an alert was triggered on?

Explorer

I have an alert that is configured to trigger on the event of an account lockout. It is a very simple alert that looks like this:
index=wineventlog sourcetype=WinEventLog:Security EventCode=4740 | stats count by user CallerComputerName

This displays an easy to read table with the username of the locked out account, the computer that the lockout came from, and a count of lockouts.

Currently, I have a trigger action set to email our Access Admins when a lockout occurs. However, in addition to that, I would like an email to be sent to the particular user that generated the lockout event. In order to do this, there are a few manipulations that need to be done.

In our domain, some usernames are appended with "-fa" and some aren't. I would only like to send emails to the accounts that are appended with "-fa". For example, if an account is locked out for the user "steve-fa" then I would like to send an email to that user informing him that his account has been locked out. In order to do so, I have to tell Splunk to remove the "-fa" and replace it with "@company.com" and then use "steve@company.com" as the email address.

Is this possible? If so, would it be configured in the alert wizard or would it be contained in the search using the sendmail feature?

Thank you in advance for any help!

0 Karma
Highlighted

Re: How to send an email to the user that an alert was triggered on?

Motivator

you can try like below

index=wineventlog sourcetype=WinEventLog:Security EventCode=4740 | stats count by user CallerComputerName | eval usernew = user | rex field=usernew mode=sed "s/\S+(-fa)/\S+@company.comf/g" | sendemail to=$user_new$,$user$ rest of query.

I hope it helps

0 Karma
Highlighted

Re: How to send an email to the user that an alert was triggered on?

Explorer

This is so close. I am using the following string but there is something wrong.

index=wineventlog sourcetype=WinEventLog:Security EventCode=4740 | stats count by user CallerComputerName |eval usernew=user | rex field=usernew mode=sed "s/\S+(-*a)/\S+@company.com/g" | sendemail to=$user_new$ server=mail.company.com subject="Your " $user$ "account has been locked out!" message="Splunk has detected that your account has been locked out. Please contact Access Admins for assistance." sendresults=false

The first $ in "sendemail to=$user_new$" is red. Splunk is not picking up the email address to send to.

0 Karma
Highlighted

Re: How to send an email to the user that an alert was triggered on?

SplunkTrust
SplunkTrust

The rex command should be | rex field=user_new mode=sed "s/(\S+)(-fa)/\1@company.comf/g".

0 Karma
Highlighted

Re: How to send an email to the user that an alert was triggered on?

Explorer

I believe the rex command might still be a little off. It still does not like the variable "$user_new$". When I replace it with my own email it works. Here is the command as of now:

index=wineventlog sourcetype=WinEventLog:Security EventCode=4740 | eval usernew=user |rex field=usernew mode=sed "s/(\S+)(-fa)1/@company.comf/g" | sendemail to=$user_new$ server=mail.company.com subject="Your account has been locked out!" message="Splunk has detected that the account shown below has been locked out. Please contact Access Admins for assistance." sendresults=true inline=true format=raw

0 Karma
Highlighted

Re: How to send an email to the user that an alert was triggered on?

Splunk Employee
Splunk Employee

How is your user getting the email if he/she is locked out of his/her account....? 😉

0 Karma