I have a use case, which is basically about alerting users for vulnerabilities when we need them to take action
This is a centralised pull from tenable so far so good
My issue is how to defer and control the sending of the alert so it doesn't wake up people in various time zones around the world. I don't want them getting alerts at 2am or on Sunday in their timezone, unless Sunday is a workday - that's a whole different matter.
I looked at ip lookup allitems=true and can get the timezone, so that is a step forward
But I can't seem to find out how to convert the Americas/Vancouver timestamp to an offset of UTC which I can play with
I'm sure some of you with global companies must have dealt with this challenge. My understanding is you can get fined in Germany for communicating with employees out of hours. Let just say I manage to determine the correct textual timestamp like Americas\Chicago - how do I translated that to a UTC offset ?
of course if anyone can spot what I'm trying to do and has a better way then I'm all ears
Got the basis of this working :
| makeresults 1
| eval header="{\"content-type\":\"application/json\"}"
| eval api_key = "<API_KEY>"
| eval tz = "America/Los_Angeles"
| eval where = "https://api.ipgeolocation.io/timezone?apiKey=" + api_key + "&tz=" + tz
| eval myuser = "nobody"
| eval myuri = where
| curl method=get urifield=myuri headerfield=header debug=true
| table curl*
| spath input=curl_message
Be interested in suggestions for alternatives though..
Got the basis of this working :
| makeresults 1
| eval header="{\"content-type\":\"application/json\"}"
| eval api_key = "<API_KEY>"
| eval tz = "America/Los_Angeles"
| eval where = "https://api.ipgeolocation.io/timezone?apiKey=" + api_key + "&tz=" + tz
| eval myuser = "nobody"
| eval myuri = where
| curl method=get urifield=myuri headerfield=header debug=true
| table curl*
| spath input=curl_message
Be interested in suggestions for alternatives though..
| eval local=strftime(now(),"%F %T %z")
Thanks but my starting point is not the time but the ip address -
| iplocation allfields=true src_ip
Trying to build a table of people and offsets from UTC so I can decide - OK I'm going to send an alert at 10am for all people in Thailand ... or all people on Mountain time.
I know it won't be perfect - and I need to get rid of all the noise of VPNs and consider travellers but it's a lot better than sending emails at 2am in the morning
I found this web service which should get me what I want
https://ipgeolocation.io/documentation/timezone-api.html
- I'd have thought there is a way in Splunk - Basically my starting point is the iplocation -all and I need to interpret the Country/State timezone expression
# Get 'America/Los_Angeles' timezone information $ curl 'https://api.ipgeolocation.io/timezone?apiKey=API_KEY&tz=America/Los_Angeles' { "timezone": "America/Los_Angeles", "timezone_offset": -8, "date": "2018-12-06", "date_time": "2018-12-06 02:02:09", "date_time_txt": "Thursday, December 06, 2018 02:02:09", "date_time_wti": "Thu, 06 Dec 2018 02:02:09 -0800", "date_time_ymd": "2018-12-06T02:02:09-0800", "date_time_unix": 1544090529.989, "time_24": "02:02:09", "time_12": "02:02:09 AM", "week": "49", "month": "12", "year": "2018", "year_abbr": "18", "is_dst": false, "dst_savings": 1 }