Splunk Enterprise Security

Send email on Notable Event close action

Splunkometry88
Explorer

Hi Team

I am looking to send an email alert once the notable event is closed, I can send an email when the notable event is created but I cannot seem to find a way to send an email when the notable event is closed

Labels (2)
0 Karma
1 Solution

Jhunter
Explorer

The only thing I can think of is a new correlation search (or scheduled search - an Alert with email as trigger actions) that looks at the incident_review.csv (or the macro `incident_review` which has better context) and tracks status changes for notables going from 1 to 5. 

One way without thinking about the logic too deeply is to create a new CSV with all notables with unclosed status (coming from the incident_review.csv) 

Have the search run every 5-15 minutes (it shouldn't be resource intensive) and use a lookup command against incident_review.csv and look for where one of the unclosed notables has changed to a closed status.

Hope this helps..

 

 

View solution in original post

Jhunter
Explorer

The only thing I can think of is a new correlation search (or scheduled search - an Alert with email as trigger actions) that looks at the incident_review.csv (or the macro `incident_review` which has better context) and tracks status changes for notables going from 1 to 5. 

One way without thinking about the logic too deeply is to create a new CSV with all notables with unclosed status (coming from the incident_review.csv) 

Have the search run every 5-15 minutes (it shouldn't be resource intensive) and use a lookup command against incident_review.csv and look for where one of the unclosed notables has changed to a closed status.

Hope this helps..

 

 

View solution in original post

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!