Splunk Enterprise Security

Splunk Enterprise Security: is there a way to notify someone via email that they have been assigned a notable event?

Path Finder

Is there any way to notify someone that an incident has been assigned to them?

For my in incident review process, I have some regular users that check the dashboard everyday. I have a couple users that only periodically get a notable event assigned. They'd like to receive emails when a notable event is assigned.

1 Solution

Path Finder

This search solves the issue. As a note, you have to create an alert per Splunk user.

| `incident_review` | where owner_realname="John Doe" AND owner_realname != reviewer_realname AND _time>=relative_time(now(),"-20m") AND _time<now() | fields rule_name, urgency, status_label, owner_realname, reviewer_realname | rename rule_name as "Rule Name", urgency as Urgency, status_label as Status, owner_realname as Assignee, reviewer_realname as Assigner

View solution in original post

Splunk Employee
Splunk Employee

search typo above, updating for our Splunkers.

| `incident_review` | where owner_realname="GT3 Analyst" AND owner_realname != reviewer_realname AND _time>=relative_time(now(),"-40m") AND _time<now() | fields rule_name, urgency, status_label, owner_realname, reviewer_realname | rename rule_name as "Rule Name", urgency as Urgency, status_label as Status, owner_realname as Assignee, reviewer_realname as Assigner

Engager

This query will also trigger in case of someone other then user add a comment in notable event. Can you suggest any alternatives.

Path Finder

This search solves the issue. As a note, you have to create an alert per Splunk user.

| `incident_review` | where owner_realname="John Doe" AND owner_realname != reviewer_realname AND _time>=relative_time(now(),"-20m") AND _time&#60;now() | fields rule_name, urgency, status_label, owner_realname, reviewer_realname | rename rule_name as "Rule Name", urgency as Urgency, status_label as Status, owner_realname as Assignee, reviewer_realname as Assigner

View solution in original post

Community Manager
Community Manager

Hi @AndySplunks

Are you answering your own question, or just adding additional details to your question? You didn't really explain anything, so it would be great if you could add more context. If this the answer the solved your question, be sure to accept your answer by clicking the "Accept" button to resolve this post.