Splunk Enterprise Security

Email Alert if ES Notable is Anything but Low Severity


Has anyone found a way to send an email for an ES notable based on Severity level? So the exact use case is, EDR events will generate an ES notable in incident review. These notable events will have a different severity levels based on multiple variables that make up the event. We want to have one rule; an ES notable for each event; but only send an email if the severity is Critical or High, no need for an email if the severity is low. We have only been able to accomplish this with two correlation rules. Any ideas are appreciated.

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!