Splunk Enterprise Security

Splunk Enterprise Security: is there a way to notify someone via email that they have been assigned a notable event?

AndySplunks
Communicator

Is there any way to notify someone that an incident has been assigned to them?

For my in incident review process, I have some regular users that check the dashboard everyday. I have a couple users that only periodically get a notable event assigned. They'd like to receive emails when a notable event is assigned.

1 Solution

AndySplunks
Communicator

This search solves the issue. As a note, you have to create an alert per Splunk user.

| `incident_review` | where owner_realname="John Doe" AND owner_realname != reviewer_realname AND _time>=relative_time(now(),"-20m") AND _time<now() | fields rule_name, urgency, status_label, owner_realname, reviewer_realname | rename rule_name as "Rule Name", urgency as Urgency, status_label as Status, owner_realname as Assignee, reviewer_realname as Assigner

View solution in original post

georgen_splunk
Splunk Employee
Splunk Employee

search typo above, updating for our Splunkers.

| `incident_review` | where owner_realname="GT3 Analyst" AND owner_realname != reviewer_realname AND _time>=relative_time(now(),"-40m") AND _time<now() | fields rule_name, urgency, status_label, owner_realname, reviewer_realname | rename rule_name as "Rule Name", urgency as Urgency, status_label as Status, owner_realname as Assignee, reviewer_realname as Assigner

vikajha
Explorer

This query will also trigger in case of someone other then user add a comment in notable event. Can you suggest any alternatives.

AndySplunks
Communicator

This search solves the issue. As a note, you have to create an alert per Splunk user.

| `incident_review` | where owner_realname="John Doe" AND owner_realname != reviewer_realname AND _time>=relative_time(now(),"-20m") AND _time&#60;now() | fields rule_name, urgency, status_label, owner_realname, reviewer_realname | rename rule_name as "Rule Name", urgency as Urgency, status_label as Status, owner_realname as Assignee, reviewer_realname as Assigner

ppablo
Community Manager
Community Manager

Hi @AndySplunks

Are you answering your own question, or just adding additional details to your question? You didn't really explain anything, so it would be great if you could add more context. If this the answer the solved your question, be sure to accept your answer by clicking the "Accept" button to resolve this post.

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...