Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Send email on Notable Event close action

Splunkometry88
Explorer
‎09-02-2020 03:55 PM

Hi Team

I am looking to send an email alert once the notable event is closed, I can send an email when the notable event is created but I cannot seem to find a way to send an email when the notable event is closed

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Jhunter
Explorer
‎09-04-2020 02:43 PM

The only thing I can think of is a new correlation search (or scheduled search - an Alert with email as trigger actions) that looks at the incident_review.csv (or the macro `incident_review` which has better context) and tracks status changes for notables going from 1 to 5. 

One way without thinking about the logic too deeply is to create a new CSV with all notables with unclosed status (coming from the incident_review.csv) 

Have the search run every 5-15 minutes (it shouldn't be resource intensive) and use a lookup command against incident_review.csv and look for where one of the unclosed notables has changed to a closed status.

Hope this helps..

 

 

View solution in original post

Reply
Solved! Jump to solution
Solution

Jhunter
Explorer
‎09-04-2020 02:43 PM

The only thing I can think of is a new correlation search (or scheduled search - an Alert with email as trigger actions) that looks at the incident_review.csv (or the macro `incident_review` which has better context) and tracks status changes for notables going from 1 to 5. 

One way without thinking about the logic too deeply is to create a new CSV with all notables with unclosed status (coming from the incident_review.csv) 

Have the search run every 5-15 minutes (it shouldn't be resource intensive) and use a lookup command against incident_review.csv and look for where one of the unclosed notables has changed to a closed status.

Hope this helps..

 

 

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...