Reporting

Modifying usernames and sending emails to them when there is a match

arsalanj
Path Finder

Hi everyone,
I am fairly new to Splunk, and I’m having problems creating a rule that when a user login, sends an email to that user.
The users are logging in using RSA VPN, so the Cisco_ASA_user field does not have @company.com.
Some Users also have different profiles when they login, for example, jon.doe may have the following user IDs:

1)jon.doe-ad
2)jon.doe-office
3-jon.doe-dev

The email address of jon.doe is jon.doe@company.com. The email syntax in general is username@company.com.
I managed to use this to remove the -* part: eval Cisco_ASA_user=replace (Cisco_ASA_user, "(-ad|-office|-dev)", "")
So, now the Cisco_ASA_user field shows the username without any extensions.
The next step is to add @company.com to the Cisco_ASA_user and this the part that I don’t know how to do and how to send emails when there is a match.
This is how the query looks like so far:

index=cisco_asa vendor_class="aaa/auth" Cisco_ASA_message_id=113039 | eval Cisco_ASA_user=replace (Cisco_ASA_user, "(-ad|-office|-dev)", "")

Any ideas of how to do this?

0 Karma
1 Solution

n0str0m08
Explorer

Hi @arsalanj,

To append @company to Cisco_ASA_user field please add ."@company.com" at the end of the eval command.

index=cisco_asa vendor_class="aaa/auth" Cisco_ASA_message_id=113039 
| eval Cisco_ASA_user=replace (Cisco_ASA_user, "(-ad|-office|-dev)", "")."@company.com"

However, to send the email to that particular user it will be a bit tricky.
From the search above you can create an alert and add action to the alert -> send email. Now it depends from the amount of users that you have in Splunk environment. If there are only several of them you can create separate alert for each user. In other case you can give a try with tokens in a "To:" field. I am not sure if a token $Cisco_ASA_user$ will be working as I have never tried such thing before.

Here you can find a list of tokens which can be used for sure:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Alert/EmailNotificationTokens

EDIT:
I only copy/paste a final solution achieved by @arsalanj to have everything in the accepted answer.

index=cisco_asa vendor_class="aaa/auth" Cisco_ASA_message_id=113039
| eval Cisco_ASA_user=replace (Cisco_ASA_user, "(-ad|-office|-dev|-office)", "")."@company.com" 
| iplocation src_ip
| convert timeformat="%m-%d-%Y %l:%M %p" ctime(_time) AS c_time 
| table Cisco_ASA_user, Country, City, c_time, src_ip
| eval email_to=Cisco_ASA_user 
| sendresults

View solution in original post

woodcock
Esteemed Legend

This is from another Q&A:
https://answers.splunk.com/answers/399434/send-emailed-results-to-an-email-address-in-the-re.html#an...

If you need to send a contextually-appropriate subset of results to some people, you can skip the configuration-based email settings and do this in SPL:

... | outputcsv TempFile.csv
| stats values(Email_Address) AS emailToHeader | mvexpand emailToHeader
| map search ="|inputcsv TempFile.csv | where Email_Addresss=\"$emailToHeader$\"
   | fields - Email_Address
   | sendemail
      sendresults=true inline=true
      server=\"Your.Value.Here\"
      from=\"Your.Value.Here\"
      to=\"$emailToHeader$\"
      subject=\"Your Subject here: \$name\$\"
      message=\"This report alert was generated by \$app\$ Splunk with this search string: \$search\$\""
| where comment="MakeSureNoEventsRemail"
| append [|inputcsv TempFile.csv]

woodcock
Esteemed Legend

The map search =" should be map search=" (wihtout the extra space).

0 Karma

arsalanj
Path Finder

Thank you, @Woodcock,

I finally managed to make it work and this is how I did it:

index=cisco_asa vendor_class="aaa/auth" Cisco_ASA_message_id=113039| eval Cisco_ASA_user=replace (Cisco_ASA_user, "(-ad|-office|-dev|-office)", "")."@company.com" |  iplocation src_ip
  | convert timeformat="%m-%d-%Y %l:%M %p" ctime(_time) AS c_time |table Cisco_ASA_user, Country, City, c_time, src_ip
| eval email_to=Cisco_ASA_user | sendresults
0 Karma

n0str0m08
Explorer

Hi @arsalanj,

To append @company to Cisco_ASA_user field please add ."@company.com" at the end of the eval command.

index=cisco_asa vendor_class="aaa/auth" Cisco_ASA_message_id=113039 
| eval Cisco_ASA_user=replace (Cisco_ASA_user, "(-ad|-office|-dev)", "")."@company.com"

However, to send the email to that particular user it will be a bit tricky.
From the search above you can create an alert and add action to the alert -> send email. Now it depends from the amount of users that you have in Splunk environment. If there are only several of them you can create separate alert for each user. In other case you can give a try with tokens in a "To:" field. I am not sure if a token $Cisco_ASA_user$ will be working as I have never tried such thing before.

Here you can find a list of tokens which can be used for sure:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Alert/EmailNotificationTokens

EDIT:
I only copy/paste a final solution achieved by @arsalanj to have everything in the accepted answer.

index=cisco_asa vendor_class="aaa/auth" Cisco_ASA_message_id=113039
| eval Cisco_ASA_user=replace (Cisco_ASA_user, "(-ad|-office|-dev|-office)", "")."@company.com" 
| iplocation src_ip
| convert timeformat="%m-%d-%Y %l:%M %p" ctime(_time) AS c_time 
| table Cisco_ASA_user, Country, City, c_time, src_ip
| eval email_to=Cisco_ASA_user 
| sendresults

View solution in original post

arsalanj
Path Finder

Hi @n0str0m08
The ".company.com" part worked perfectly.
They are hundreds of users, so creating separate alert actions won't efficient.
Thank you for that resource too, I saw it before, but I had the problem of modifying that field.
Now that I can extract the user field thanks to you I can try different tokens to see how it works.
I wish I could just add $Cisco_ASA_User$ as a recipient in the alert section, but I don't think it will be that easy!
I'll keep updating this case.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.