Alerting

whitelist email alert domain

EricPartington
Communicator

I would like to set a regex that will whitelist an allowed domain for all email notifications.

@abc.com$

The reason i would like to do this is so that i dont have to worry about email reports being sent out of the organization and hopefully avoid further questions from any future audit of the implementation of Splunk.
If this was something that could be set in the email settings manager that would be perfect or if there is a way to add that validation/whitelist in a conf file for now that would be great as well.

normally i would tackle this with the MTA but i dont own the OS on the servers (managed by another group) and have limited access to change OS base settings.

Any ideas where I could try this whitelist idea to prevent possible data leaks via emailed reports?

Tags (3)
0 Karma

dwaddle
SplunkTrust
SplunkTrust

I'm not sure this is something that is configurable into out-of-the-box Splunk. You could always file an enhancement request.

One potential alternative might be to hack upon the sendmail.py script in $SPLUNK_HOME/etc/apps/search/bin. Much (all?) of the Splunk email sending functionality would seem to be implemented here. If you're reasonably good with Python, you'd be able to implement this type of change there. Obviously, this wouldn't necessarily be supported by Splunk support - you'd be on your own in terms of defect resolution in this area.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...