Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I add the sendemail response action with the link to incident review page for a correlation search

nareerat_pr
Explorer
‎09-07-2020 02:44 AM

I've created a correlation search, then I want to add the send email response action with a link to this rule that show on incident review page, it will be easy for my team to access to this incident by the email and do more action.

Please recommend, I don' t want the link to alert result, I want the link to the incident review page that show only the incident from this rule.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
Super Champion
‎09-07-2020 03:06 AM

you can't have from the same correlation search.

you need to create a search that uses `notable` macro where this will provide unique id for each notable.

that is event_id.
you need to prepare splunk_url in a way that the url will redirect user to incident review page.

if you are using enterprise security.

 

| eval minusFive=_time-300,plusFive=_time+300
| eval splunk_url="https://instancename/en-US/app/SplunkEnterpriseSecuritySuite/incident_review?form.srch=event_id%3D"+event_id+"&form.srch=event_id%3D"+event_id+"&form.source="+search_name
+"&earliest="+minusFive+"&latest="+plusFive

 

 

 

————————————
If this helps, give a like below.

View solution in original post

Reply
Solved! Jump to solution
Solution

thambisetty
Super Champion
‎09-07-2020 03:06 AM

you can't have from the same correlation search.

you need to create a search that uses `notable` macro where this will provide unique id for each notable.

that is event_id.
you need to prepare splunk_url in a way that the url will redirect user to incident review page.

if you are using enterprise security.

 

| eval minusFive=_time-300,plusFive=_time+300
| eval splunk_url="https://instancename/en-US/app/SplunkEnterpriseSecuritySuite/incident_review?form.srch=event_id%3D"+event_id+"&form.srch=event_id%3D"+event_id+"&form.source="+search_name
+"&earliest="+minusFive+"&latest="+plusFive

 

 

 

————————————
If this helps, give a like below.
Reply
Get Updates on the Splunk Community!

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...