Splunk Enterprise Security

Using a different email address to send email responses using adaptive response action

shiv1593
Communicator

Hi All,

I have a use case where I want to send replies using a separate email address than the default address of Splunk. What I'm trying to achieve is :

  1. I have a sourcetype, and from its logs I have a field called "User email"
  2. I want to send individual automatic responses to the email addresses present in the field.
  3. The default email id for my Splunk solution is abc_splunk@mycompany.com. But I do not want to send the replies using this email address. I want to use informationawareness@mycompany.com.
  4. I would like to use informationawareness@mycompany.com for this particular set of data "User email" and the sourcetype only. All the other emails should go using the default id abc_splunk@mycompany.com.
  5. I have the basic SMTP settings for the mailbox server of informationawareness@mycompany.com.
  6. I want to know in which configuration files do I have to make the change in order to achieve my goal.

Any help will be highly appreciated.
Thank you

0 Karma

p_gurav
Champion

Hi shiv1593,

Give try to this with ;

  1. sendemail command where you can specify multiple from and different SMTP servers:

    | sendemail from="informationawareness@mycompany.com" server=(SMTP server host)

Note: Make sure the connectivity between splunk server and SMTP server

  1. Edit savedsearches.conf and specify action.email.mailserver attribute to this saved search.
0 Karma

shiv1593
Communicator

Hi p_gurav,

This seems intriguing. I will try and implement this and let you know my findings.

Thank you very much

0 Karma

lakshman239
SplunkTrust
SplunkTrust

If you are using Splunk ES and adaptive response of the Email, one approach [ not a clean one] would be to have 1 correlation search for specific host for informationawareness and another correlation search for rest of them and update the action.email.mailserver, it should still work.

0 Karma

p_gurav
Champion

Hi,

try using sendemail command with custom from.

0 Karma

shiv1593
Communicator

Hi p_gurav,

Tried that. Doesn't work. I guess it has something to do with the configuration of the mail I'm trying to use. Unless I open the port on my search head and the mailbox server, and establish the basic SMTP connection, I won't be able to use it. Just wanted to figure out where should I put those SMTP settings in Splunk, I mean inside which configuration file. And how ill that stanze be designed in order to get it executed.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

If you use Splunk Web then click on Settings->Saved Searches-> <Alert Name>-> Edit -> Advanced Edit and override action.email.from, by default Defaults to splunk@<LOCALHOST> (or whatever is set in alert_actions.conf).

0 Karma

shiv1593
Communicator

Hi Harsh,

Tried that. Doesn't work since the SMTP server and settings of the mail id that I want trigger the alert from, informationawareness@mycompany.com, are different. From what I figure, I may need to specify the settings of the mail ID within my search head, so that Splunk reads and uses it for this particular alert, which is giving me the field "User email", and use the email addresses present inside the field and reply to them individually. I want all of the other emails going from Splunk using the default ID itself.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

So based on your comment, I am assuming that you are running single schedule search which has User Email field and you want to send email to all those email id but you want different from email address for certain users(email id) only ??

0 Karma

shiv1593
Communicator

Correct. I am running a scheduled search, which triggers conditions per event, picks out an email address from the User email field, and sends it a pre-drafted email. It does the same for all the email addresses which are produced when the search runs. But for this particular search, I want to use a different "from email address", which would be informationawareness@mycompany.com, instead of the default email address of Splunk, which in my case is abc_splunk@mycompany.com. I want all of my other searches to use the default email address of splunk, which is abc_splunk@mycompany.com, like they are doing as of now.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Can you please share your alert_actions.conf and savedsearch.conf for that particular search (Please mask/alter any sensitive data) from Search Head?

0 Karma

shiv1593
Communicator

Hi Harsh,

Sorry for such a delay in response. Here is the savedsearch.conf.

[My_Search]
action.email = 1
action.email.include.search = 1
action.email.include.view_link = 0
action.email.inline = 1
action.email.sendcsv = 1
action.email.sendpdf = 1
action.email.sendresults = 1
action.email.to = senders
action.email.useNSSubject = 1
action.keyindicator.invert = 0
action.makestreams.param.verbose = 0
action.nbtstat.param.verbose = 0
action.notable.param.verbose = 0
action.nslookup.param.verbose = 0
action.ping.param.verbose = 0
action.risk.param.verbose = 0
action.threat_add.param.verbose = 0
alert.track = 0

Here is the alert_actions.conf
[name of the alert]
from=splunk@localhost.com
to=$user_email$
subject="My subject as mentioned in the alert"
sendresults=1
inline=1
priority=5
mailserver=local mail server:port number as defined
sendpdf=1
sendcsv=1

0 Karma

p_gurav
Champion

Is SMTP servers for abc_splunk@mycompany.com and informationawareness@mycompany.com is different? Normally splunk used alert_actions.conf for storing this configurations.

0 Karma

shiv1593
Communicator

Yes, both of them have different SMTP relay servers. I thought about the alert_actions.conf file, just am not sure on how to edit it to use just for this particular alert, and leave the default ID for the rest of the things.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!