Hello,
I am trying to send custom email alert if there is any SQL Injection has been done on our Websites.
`fidelis_get_xps_event` | search tag=initial_compromise | eval Severity=lower(Severity) | table _time Target Severity AlertId hostIp eventtype | search eventtype="incoming_sql_injection" | chart dc(AlertId) as count by hostIp
| eval check=case(isnull(hostIp),1) | search check=0 | sendemail to=farrukh@example.com from=splunk@example.com subject="SQL Injection" server=smtp.example.com
The condition i am checking is 15 minute time for the search and checking if the hostIp is not null. It should not send an email if the check=0 but its keep sending an email.
Thank you.
sendemail
is not conditional. It will send email regardless of the number of results. To send mail only if there are results, remove the sendemail
command and choose the "Send email" alert action.
sendemail
is not conditional. It will send email regardless of the number of results. To send mail only if there are results, remove the sendemail
command and choose the "Send email" alert action.
Hello richgalloway,
Before this question was moderated, i figured out about alert 🙂
Thanks for your answer.
I have done this and following is my alert i am trying to run job every 15 minutes so that if there is any SQL Injection happen it will triggered an email as mentioned in below image.
If your problem is resolved, please accept the answer to help future readers.