Solved: Re: Is there a way to ingest data via an email res...

nick405060 · ‎12-31-2018

Hi there,

We send out alerts via Splunk about potential phishing attacks. We'd like to have users mark the alerts after they have received and investigated them - e.g. label them as investigated, false positive, true positive, etc. Is there a way for users to label the alert directly in the email? (e.g., using voting buttons to send a response back to Splunk where the metrics are aggregated, or by having the users respond to the email)

I could create a dashboard showing all the alerts, with textboxes to enter the labels/data, but I'd like to hear ideas on a more elegant (preferably email or Slack-based) solution

jkat54 · ‎01-03-2019

You could build this yourself and put links in the emails that link back to api endpoints.

You’d need some unique identifier generated for each alert so you could reference the Id when your users “vote”.

Imagine a link in email like this:

<a href=“https://localhost:8089/.../yourApp/handler/_update?uniqueId=$idField$&status=closed”>Close this</a>

See https://docs.splunk.com/Documentation/Splunk/7.2.3/AdvancedDev/CustomAlertScript for details on the alert action portion

View solution in original post

richgalloway · ‎01-12-2019

@nick405060 Is your problem resolved? If so, please accept an answer.

---
If this reply helps you, Karma would be appreciated.

bean545 · ‎01-03-2019

Thanks for the information.

jkat54 · ‎01-03-2019

You could build this yourself and put links in the emails that link back to api endpoints.

You’d need some unique identifier generated for each alert so you could reference the Id when your users “vote”.

Imagine a link in email like this:

<a href=“https://localhost:8089/.../yourApp/handler/_update?uniqueId=$idField$&status=closed”>Close this</a>

See https://docs.splunk.com/Documentation/Splunk/7.2.3/AdvancedDev/CustomAlertScript for details on the alert action portion

nick405060 · ‎01-03-2019

Thanks!! This definitely seems like the best option so far. A little above my skill level, but I can take a crack at it

jkat54 · ‎01-03-2019

There’s more than a handful of partners that do this sort of development. If it’s a high stakes use case, you might consider hiring outside help.

By the way, all this was once above everyone else’s skill level too. You got what it takes to learn splunk development ;-). Just have patience!

jkat54 · ‎02-05-2019

Did you build this out?

nick405060 · ‎02-06-2019

Had to put it off a bit due to the amount of time it's going to take. On my radar for the next 4-5 weeks

jkat54 · ‎02-06-2019

Cool, come see us in #app-dev on slack when you’re ready!

valiquet · ‎01-02-2019

We have that but it's not recommended. SMTP is unreliable protocol.

sdchakraborty · ‎01-02-2019

Hello,

Please take a look at the below app. Not sure fully whether this will resolve your query. Very interesting use case.

https://splunkbase.splunk.com/app/1739/

Sid

Is there a way to ingest data via an email response?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

Is there a way to ingest data via an email response?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25