Manage alerts for different customers

adrifesa95 · ‎01-02-2024

Good morning,

I explain my casuistry, I have a Splunk tenant that belongs to a big company with sucusarles in three zones. Each branch should only see the data of its zone. The indexes are constructed in the form, zone_technology, for example, eu_meraki.

Knowing this, I have created a series of alerts, which are shared for all the areas, and search in all the indexes. How could I make that the warning email when the alert is triggered, only reaches the contacts of an area?

Thank you

adrifesa95 · ‎01-02-2024

It's splunk cloud

gcusello · ‎01-02-2024

Hi @adrifesa95,

the question is: have you Enterprise Security or not?

anyway, if there isn't Enterprise Security you can apply my solution.

Ciao.

Giuseppe

adrifesa95 · ‎01-02-2024

No we don't have. The problem is that I want to use the same alerts without have to clone, isn't it possible?

gcusello · ‎01-02-2024

Hi @adrifesa95,

it isn't so easy, you should:

create a lookup containing two columns:
- area,
- mail,
modify your alerts in this way:

<your_alert>
| lookup your_lookup.csv area OUTPUT mail
| sendmail to=mail

supponing that in your mail search, you have the area field, matchig the value in the lookup.

Ciao.

Giuseppe

gcusello · ‎01-02-2024

Hi @adrifesa95,

are you speaking of Splunk Enterprise or Enterprise Security?

If Enterprise Security it's a very hard job to impement multitenancy because ES isn't multitenant by default.

If in Splunk Enterprise, you could create different alerts for each zone, working only on the indexes of that area and sending mails only to users of that area.

Ciao.

Giuseppe

Manage alerts for different customers

alert action

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off