Splunk Enterprise Security

Splunk Enterprise Security: is there a way to notify someone via email that they have been assigned a notable event?

AndySplunks
Communicator

Is there any way to notify someone that an incident has been assigned to them?

For my in incident review process, I have some regular users that check the dashboard everyday. I have a couple users that only periodically get a notable event assigned. They'd like to receive emails when a notable event is assigned.

1 Solution

AndySplunks
Communicator

This search solves the issue. As a note, you have to create an alert per Splunk user.

| `incident_review` | where owner_realname="John Doe" AND owner_realname != reviewer_realname AND _time>=relative_time(now(),"-20m") AND _time<now() | fields rule_name, urgency, status_label, owner_realname, reviewer_realname | rename rule_name as "Rule Name", urgency as Urgency, status_label as Status, owner_realname as Assignee, reviewer_realname as Assigner

View solution in original post

georgen_splunk
Splunk Employee
Splunk Employee

search typo above, updating for our Splunkers.

| `incident_review` | where owner_realname="GT3 Analyst" AND owner_realname != reviewer_realname AND _time>=relative_time(now(),"-40m") AND _time<now() | fields rule_name, urgency, status_label, owner_realname, reviewer_realname | rename rule_name as "Rule Name", urgency as Urgency, status_label as Status, owner_realname as Assignee, reviewer_realname as Assigner

vikajha
Explorer

This query will also trigger in case of someone other then user add a comment in notable event. Can you suggest any alternatives.

AndySplunks
Communicator

This search solves the issue. As a note, you have to create an alert per Splunk user.

| `incident_review` | where owner_realname="John Doe" AND owner_realname != reviewer_realname AND _time>=relative_time(now(),"-20m") AND _time&#60;now() | fields rule_name, urgency, status_label, owner_realname, reviewer_realname | rename rule_name as "Rule Name", urgency as Urgency, status_label as Status, owner_realname as Assignee, reviewer_realname as Assigner

ppablo
Retired

Hi @AndySplunks

Are you answering your own question, or just adding additional details to your question? You didn't really explain anything, so it would be great if you could add more context. If this the answer the solved your question, be sure to accept your answer by clicking the "Accept" button to resolve this post.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...