Hi everyone,
I am fairly new to Splunk, and I’m having problems creating a rule that when a user login, sends an email to that user.
The users are logging in using RSA VPN, so the Cisco_ASA_user
field does not have @company.com
.
Some Users also have different profiles when they login, for example, jon.doe
may have the following user IDs:
1)jon.doe-ad
2)jon.doe-office
3-jon.doe-dev
The email address of jon.doe
is jon.doe@company.com
. The email syntax in general is username@company.com
.
I managed to use this to remove the -*
part: eval Cisco_ASA_user=replace (Cisco_ASA_user, "(-ad|-office|-dev)", "")
So, now the Cisco_ASA_user
field shows the username
without any extensions.
The next step is to add @company.com
to the Cisco_ASA_user
and this the part that I don’t know how to do and how to send emails when there is a match.
This is how the query looks like so far:
index=cisco_asa vendor_class="aaa/auth" Cisco_ASA_message_id=113039 | eval Cisco_ASA_user=replace (Cisco_ASA_user, "(-ad|-office|-dev)", "")
Any ideas of how to do this?
Hi @arsalanj,
To append @company to Cisco_ASA_user
field please add ."@company.com"
at the end of the eval
command.
index=cisco_asa vendor_class="aaa/auth" Cisco_ASA_message_id=113039
| eval Cisco_ASA_user=replace (Cisco_ASA_user, "(-ad|-office|-dev)", "")."@company.com"
However, to send the email to that particular user it will be a bit tricky.
From the search above you can create an alert and add action to the alert -> send email. Now it depends from the amount of users that you have in Splunk environment. If there are only several of them you can create separate alert for each user. In other case you can give a try with tokens in a "To:" field. I am not sure if a token $Cisco_ASA_user$
will be working as I have never tried such thing before.
Here you can find a list of tokens which can be used for sure:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Alert/EmailNotificationTokens
EDIT:
I only copy/paste a final solution achieved by @arsalanj to have everything in the accepted answer.
index=cisco_asa vendor_class="aaa/auth" Cisco_ASA_message_id=113039
| eval Cisco_ASA_user=replace (Cisco_ASA_user, "(-ad|-office|-dev|-office)", "")."@company.com"
| iplocation src_ip
| convert timeformat="%m-%d-%Y %l:%M %p" ctime(_time) AS c_time
| table Cisco_ASA_user, Country, City, c_time, src_ip
| eval email_to=Cisco_ASA_user
| sendresults
This is from another Q&A:
https://answers.splunk.com/answers/399434/send-emailed-results-to-an-email-address-in-the-re.html#an...
If you need to send a contextually-appropriate subset of results to some people, you can skip the configuration-based email settings and do this in SPL:
... | outputcsv TempFile.csv
| stats values(Email_Address) AS emailToHeader | mvexpand emailToHeader
| map search ="|inputcsv TempFile.csv | where Email_Addresss=\"$emailToHeader$\"
| fields - Email_Address
| sendemail
sendresults=true inline=true
server=\"Your.Value.Here\"
from=\"Your.Value.Here\"
to=\"$emailToHeader$\"
subject=\"Your Subject here: \$name\$\"
message=\"This report alert was generated by \$app\$ Splunk with this search string: \$search\$\""
| where comment="MakeSureNoEventsRemail"
| append [|inputcsv TempFile.csv]
The map search =" should be map search=" (wihtout the extra space).
Thank you, @Woodcock,
I finally managed to make it work and this is how I did it:
index=cisco_asa vendor_class="aaa/auth" Cisco_ASA_message_id=113039| eval Cisco_ASA_user=replace (Cisco_ASA_user, "(-ad|-office|-dev|-office)", "")."@company.com" | iplocation src_ip
| convert timeformat="%m-%d-%Y %l:%M %p" ctime(_time) AS c_time |table Cisco_ASA_user, Country, City, c_time, src_ip
| eval email_to=Cisco_ASA_user | sendresults
Hi @arsalanj,
To append @company to Cisco_ASA_user
field please add ."@company.com"
at the end of the eval
command.
index=cisco_asa vendor_class="aaa/auth" Cisco_ASA_message_id=113039
| eval Cisco_ASA_user=replace (Cisco_ASA_user, "(-ad|-office|-dev)", "")."@company.com"
However, to send the email to that particular user it will be a bit tricky.
From the search above you can create an alert and add action to the alert -> send email. Now it depends from the amount of users that you have in Splunk environment. If there are only several of them you can create separate alert for each user. In other case you can give a try with tokens in a "To:" field. I am not sure if a token $Cisco_ASA_user$
will be working as I have never tried such thing before.
Here you can find a list of tokens which can be used for sure:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Alert/EmailNotificationTokens
EDIT:
I only copy/paste a final solution achieved by @arsalanj to have everything in the accepted answer.
index=cisco_asa vendor_class="aaa/auth" Cisco_ASA_message_id=113039
| eval Cisco_ASA_user=replace (Cisco_ASA_user, "(-ad|-office|-dev|-office)", "")."@company.com"
| iplocation src_ip
| convert timeformat="%m-%d-%Y %l:%M %p" ctime(_time) AS c_time
| table Cisco_ASA_user, Country, City, c_time, src_ip
| eval email_to=Cisco_ASA_user
| sendresults
Hi @n0str0m08
The ".company.com" part worked perfectly.
They are hundreds of users, so creating separate alert actions won't efficient.
Thank you for that resource too, I saw it before, but I had the problem of modifying that field.
Now that I can extract the user field thanks to you I can try different tokens to see how it works.
I wish I could just add $Cisco_ASA_User$ as a recipient in the alert section, but I don't think it will be that easy!
I'll keep updating this case.