Splunk Enterprise

Email automation issue

sheamus69
Communicator

Hi,

I have put together a correlation which looks as user account lockouts, and have had it to send an email (using the GUI Adaptive Response Actions).

My issue is that if the correlation detects a single lockout within it's search window, it will generate the email, however, if there are multiple results returned, it fails to send out emails.

 

Example correlation search:

 

 

 

| tstats summariesonly=true count earliest(_time) as FirstSeen latest(_time) as LastSeen values(All_Changes.src) as Computer values(All_Changes.Account_Management.dest_nt_domain) as All_Changes.Account_Management.dest_nt_domain
    from datamodel=Change 
    where All_Changes.result_id=4740 All_Changes.Account_Management.src_nt_domain=mydomain
    by  All_Changes.Account_Management.src_nt_domain  All_Changes.user All_Changes.result_id All_Changes.result All_Changes.signature 
| eval FirstSeen=strftime(FirstSeen,"%Y-%m-%d %H:%M.%S"), LastSeen=strftime(LastSeen,"%Y-%m-%d %H:%M.%S") 
| rename All_Changes.* as * 
| rename Account_Management.* as * 
| `thales_get_asset(dest_nt_domain)` 
| `get_identity4events(user)`
| table FirstSeen LastSeen src_nt_domain dest_nt_domain user_original user_first user_email Computer result_id result signature count Computer_description Computer_ip Computer_lookup_source Computer_owner

 

 

 

With the Email Adaptive response configured something like so:

 

 

To: $result.user_email$

Subject: $name$ - $result.user_original$


Body:

Hi $result.user_first$,

[some explanation stuff here]

Between $result.FirstSeen$ and $result.LastSeen$, your account $result.user_original$ has been locked out $result.count$ times.

These account lockouts occurred on the following systems:

$result.dest_nt_domain$


[blah blah etc]

 

 

 

Any idea what I am doing wrong here, any advice on how to progress, etc?

Cheers,

Sheamus

Labels (1)
0 Karma
1 Solution

sheamus69
Communicator

OK, I managed to get this working through using Alerts instead of Correlation searches.

I have no idea why using a Correlation wouldn't work, presumably they work subtly different to alerts under the hood?

 

So, in short, to get this working I saved my main search as an alert, with a scheduled run time.  Within the scheduled search settings there was an option to Trigger for each event - selecting this fixed my issue.

 

Sheamus

View solution in original post

0 Karma

sheamus69
Communicator

OK, I managed to get this working through using Alerts instead of Correlation searches.

I have no idea why using a Correlation wouldn't work, presumably they work subtly different to alerts under the hood?

 

So, in short, to get this working I saved my main search as an alert, with a scheduled run time.  Within the scheduled search settings there was an option to Trigger for each event - selecting this fixed my issue.

 

Sheamus

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...