Re: Send email only once after an episode is open ...

damickel · ‎10-09-2020

I'm creating a number of correlation searches, and I'd like to be able to send an email ONLY when an episode has been open for more then X number of minutes.

If i go into the aggregation policy and set 'If this episode existed for X second(s)', then any event that is added to the episode after X seconds triggers an additional email, which potentially could be a lot of emails. I haven't been able to find a combination of settings that will just send an email once from the aggregation policy rules.

I considered the option to create an alert search for an episode that has been up for a certain period of time in a 'New' state, but I'd prefer for it to be built into the aggregation policy.

Anyone else hit something similar?

digithead1 · ‎10-27-2020

I worked with Splunk Professional Services consultants for ITSI 4.4.5 and covered this example and another where if the episode was open for x time and the severity was high. But the first event even being high did not satisfy the severity condition until the time did. Then it took another event of "high" to meet the second after the the time. But what if no other events arrive? Consultants recommended submitting a enhancement request as this is the way the developer currently coded the application. They have a lot of work on their ITSI solution to be more robust like HP OMi and other more advanced event monitoring systems.

Send email only once after an episode is open for a period of time

administration

configuration

using ITSI

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023

Security Newsletter Updates | March 2023