Educause Security Discussion mailing list archives
Re: Operational question: formatting Splunk alerts
From: Emily Harris <emharris () VASSAR EDU>
Date: Fri, 1 Mar 2019 11:28:12 -0500
Thank you! That is a crazy amount of information to unpack. I'm going to write you offline for some follow-up. The intended audience for this alert is someone in payroll. It needs to be really clear - it should say person A, located in geographical location B, changed their bank information on this date, at this time, using that type of device. The way the alert goes out now is purely "header" and "field" data. I want to just get it out in a plain english format so that non-technical people can read it and take action if necessary. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Wed, Feb 27, 2019 at 2:04 PM Garrett Hildebrand <gdh () uci edu> wrote:
Emily, Just curious... in what way do you want to re-format them? Can you show an alert that is generated and then what you'd like to see differently in it? So now some potential help in general... In the Message portion of an alert that has an Action of "Send email" You can use tokens to build customized messages. The tokens are described here: https://docs.splunk.com/Documentation/Splunk/7.1.2/Alert/EmailNotificationTokens That might get you somewhere. There are new options for this area as of the 6.1.* release. Also, if you place a alert_actions.conf file in ~/etc/apps/search/local (and the alert runs out of the search app) then there is a lot you can customize, as described here (plus the option to run a script, as you mentioned): https://answers.splunk.com/answers/389294/how-to-use-html-code-in-email-alerts-to-format-the.html And, you can actually modify the way the search results are presented, as described here: https://answers.splunk.com/answers/543473/how-to-change-the-alert-email-result-format.html There is a very light-weight description of running an external script to format your alert results here: https://docs.splunk.com/Documentation/Splunk/6.5.2/Alert/Configuringscriptedalerts#Script_option Change the release in the URL to match what you are using. Note that it can be a perl script or python as well. If you decide that you want to go the route of modifying sendemail.py, there is a way to do this without having it overwritten every time you upgrade. Basically, you copy the program to a new name, and point Splunk at that, as described here: https://answers.splunk.com/answers/2641/how-do-i-customize-scheduled-search-alert-emails.html Something I have used is to save a search as a report, and have a sendemail at the end. When you run the report it will generate an email. Here is a simple example: index=syslogs_adcom pikfs | rex "WebAuth:.*\s+-\s+(?<Action>[^ ]+)\s+.*http.*expresso\/pikfs\/(?<pikfsStem>[^\? ]+).*?\s(?<Result>[^ ]+)\s+(?<Message>.*)" | stats count by userID Action pikfsStem Result Message | addtotals col=t row=f | sendemail to="somebody () uci edu" cc="somebodyelse () uci edu" subject="A sample search for pikfs events for Today (Ref.: JIRA SEC-4338" sendresults=true footer="Please see the JIRA to obtain a copy of the search and run it yourself if you like" Something that is not well documented in about the sendemail command is that many of the tokens available for an email alert are also available to the sendemail command. I don't have definitive list but I have used a number of them in this way. See the potential list in the "Tokens that access search metadata" area of: https://docs.splunk.com/Documentation/Splunk/6.1.2/Alert/Setupalertactions#Email_notification Garrett -==-==- G.D. Hildebrand Senior IT Security Analyst UC Irvine, OIT, 6137 Science Library, Irvine, 92697-1175 tel.: 949-824-8913 email: gdh () uci edu My URL http://about.me/garretthildebrand Splunk> the Benihana of log-data slicing and dicing. ¯\_(ツ)_/¯ Don't be a victim of phishing. Legitimate businesses don't ask you to send sensitive information through insecure channels. Learn more: http://er.educause.edu/blogs/2016/3/april-dont-get-hooked Handle passwords wisely: http://www.bbc.com/news/technology-37510501 Today (Wed, 27 Feb 2019) at 12:55 -0500 Emily Harris wrote:I have an operational question for a Splunk expert. We want tore-format our alert emails from Splunk with a custom template so they aremore human readable. The idea is that we send certain triggers viaemail to a non-IT person and the format of that email should be lesstechnical (ie the raw or JSON payload). From what I can tell there are3 methods:1. Edit the sendemail.py script directly 2. Launch an external bash script 3. Use a script plugin Has anyone used any of these methods successfully and can either pointme to a really clear "how-to" document or make some time for aconsult? Thank you! ---- Emily Harris, CISSPInformation Security Officer, CIS Vassar College 845-437-7221
Current thread:
- Operational question: formatting Splunk alerts Emily Harris (Feb 27)
- Re: Operational question: formatting Splunk alerts Garrett Hildebrand (Feb 27)
- Re: Operational question: formatting Splunk alerts Emily Harris (Mar 01)
- Re: Operational question: formatting Splunk alerts Garrett Hildebrand (Mar 01)
- Re: Operational question: formatting Splunk alerts Emily Harris (Mar 01)
- Re: Operational question: formatting Splunk alerts Garrett Hildebrand (Feb 27)