Splunk Enterprise Security

How to set up email notifications for every new notable event?

Cain
Engager

I'm pretty new to Splunk ES, and have a pretty basic question. How do I set up an adaptive response for every new notable event to send an email to a dlist?

I see the option to add an adaptive response/email to each correlation search, but I am trying to configure it in one place to have an email sent for any new notable event that links back to the alert on the Incident Review screen

Any guidance is appreciated. Thanks.

Labels (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

You are looking at it all wrong.  There is no way to do what you ask.  You can do it one-by-one but as you implied, it is an implementation and maintenance nightmare.  But there is a clever hack to achieve the same result.  Schedule this search to run every hour for the last hour and then add the "email" alert action.

`notable` | stats count BY search_name

View solution in original post

woodcock
Esteemed Legend

You are looking at it all wrong.  There is no way to do what you ask.  You can do it one-by-one but as you implied, it is an implementation and maintenance nightmare.  But there is a clever hack to achieve the same result.  Schedule this search to run every hour for the last hour and then add the "email" alert action.

`notable` | stats count BY search_name

Cain
Engager

Thank you, that worked for what I was trying to do; I just need to work on the email formatting using their $tokens$.

Do you have any general best practices around alerting and notifications in Splunk Cloud/ES? I'm generally thinking relying only on notable events may not be the best course.

Appreciate any insight

0 Karma

woodcock
Esteemed Legend

As with everything, beware alert fatigue.  If you send everybody every notable via any channel, you will gradually train your people to ignore them.  If you are going to send everything, I suggest using a pub/sub tool where you can push everything in but the receivers can opt-in to what they really need.

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...