Splunk Enterprise Security

Splunk Enterprise Security: is there a way to notify someone via email that they have been assigned a notable event?

AndySplunks
Communicator

Is there any way to notify someone that an incident has been assigned to them?

For my in incident review process, I have some regular users that check the dashboard everyday. I have a couple users that only periodically get a notable event assigned. They'd like to receive emails when a notable event is assigned.

1 Solution

AndySplunks
Communicator

This search solves the issue. As a note, you have to create an alert per Splunk user.

| `incident_review` | where owner_realname="John Doe" AND owner_realname != reviewer_realname AND _time>=relative_time(now(),"-20m") AND _time<now() | fields rule_name, urgency, status_label, owner_realname, reviewer_realname | rename rule_name as "Rule Name", urgency as Urgency, status_label as Status, owner_realname as Assignee, reviewer_realname as Assigner

View solution in original post

georgen_splunk
Splunk Employee
Splunk Employee

search typo above, updating for our Splunkers.

| `incident_review` | where owner_realname="GT3 Analyst" AND owner_realname != reviewer_realname AND _time>=relative_time(now(),"-40m") AND _time<now() | fields rule_name, urgency, status_label, owner_realname, reviewer_realname | rename rule_name as "Rule Name", urgency as Urgency, status_label as Status, owner_realname as Assignee, reviewer_realname as Assigner

vikajha
Explorer

This query will also trigger in case of someone other then user add a comment in notable event. Can you suggest any alternatives.

AndySplunks
Communicator

This search solves the issue. As a note, you have to create an alert per Splunk user.

| `incident_review` | where owner_realname="John Doe" AND owner_realname != reviewer_realname AND _time>=relative_time(now(),"-20m") AND _time&#60;now() | fields rule_name, urgency, status_label, owner_realname, reviewer_realname | rename rule_name as "Rule Name", urgency as Urgency, status_label as Status, owner_realname as Assignee, reviewer_realname as Assigner

ppablo
Retired

Hi @AndySplunks

Are you answering your own question, or just adding additional details to your question? You didn't really explain anything, so it would be great if you could add more context. If this the answer the solved your question, be sure to accept your answer by clicking the "Accept" button to resolve this post.

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...