Alert to mail in real time. Is it real? Or How to Make an Alert in Splunk - Part 1
How much time passes from the moment of the occurrence of some important event to reactionary actions? Often a lot! One of the factors influencing the reaction time is the late notification of the personnel responsible for making decisions.
Today we will tell you how to receive notifications about the occurrence of important security incidents, the critical condition of IT systems, significant deviations from the norm of various indicators or other events of interest to you in real time and in a convenient format, in particular by e-mail.
')
Implement alerts, or in other words alerts, will be in Splunk, a product specializing in the analysis of machine data, which we wrote about earlier .
Company X wants to receive email notifications about unsuccessful attempts to authenticate with Splunk, and also about cases where the firewall identifies high-risk events related to applications or sites. The messages should contain basic information about the event in a convenient record for the recipient.
We form a query that identifies the event of interest to us, and present it in the form of a table with columns that should appear in the message (we wrote about how to write search queries in Splunk earlier here ). Save: "Save As" - "Alert"
Configure the alert : Set the alert type - Real-time. To trigger, we specify the condition that the number of events per 1 minute must be greater than zero. Add an action when an alert is triggered. In messages, you can use tokens that access the search information, including field values. All tokens can be found at the following link .
To send messages, you still need to set up your mail server in Splunk and determine which mail will be sent from. “Settings” - “Server settings” - “Email settings” .
When this event occurs, we receive a message in the mail
Similarly, you configure the sending of an incident alert identified by a firewall.
Thus, we using Splunk quickly and easily set up alerts that will help to respond in a timely manner to the implementation of problem events.
We are happy to answer all your questions and comments on this topic. Also, if you are interested in something specifically in this area, or in the field of machine data analysis in general, we are ready to refine the existing solutions for you, for your specific task. To do this, you can write about it in the comments or simply send us a request through the form on our website .
On June 28, 2018, “ Splunk Getting Started ” will be taught in Moscow , where in 6 hours the participants will receive a theoretical base and practical skills for working in Splunk. Learn more about learning and register at this link .
Today we will tell you how to receive notifications about the occurrence of important security incidents, the critical condition of IT systems, significant deviations from the norm of various indicators or other events of interest to you in real time and in a convenient format, in particular by e-mail.
')
Implement alerts, or in other words alerts, will be in Splunk, a product specializing in the analysis of machine data, which we wrote about earlier .
Task
Company X wants to receive email notifications about unsuccessful attempts to authenticate with Splunk, and also about cases where the firewall identifies high-risk events related to applications or sites. The messages should contain basic information about the event in a convenient record for the recipient.
Implementation
Authentication control
We form a query that identifies the event of interest to us, and present it in the form of a table with columns that should appear in the message (we wrote about how to write search queries in Splunk earlier here ). Save: "Save As" - "Alert"
Configure the alert : Set the alert type - Real-time. To trigger, we specify the condition that the number of events per 1 minute must be greater than zero. Add an action when an alert is triggered. In messages, you can use tokens that access the search information, including field values. All tokens can be found at the following link .
To send messages, you still need to set up your mail server in Splunk and determine which mail will be sent from. “Settings” - “Server settings” - “Email settings” .
When this event occurs, we receive a message in the mail
Similarly, you configure the sending of an incident alert identified by a firewall.
High-risk event identification
Conclusion
Thus, we using Splunk quickly and easily set up alerts that will help to respond in a timely manner to the implementation of problem events.
We are happy to answer all your questions and comments on this topic. Also, if you are interested in something specifically in this area, or in the field of machine data analysis in general, we are ready to refine the existing solutions for you, for your specific task. To do this, you can write about it in the comments or simply send us a request through the form on our website .
PS
On June 28, 2018, “ Splunk Getting Started ” will be taught in Moscow , where in 6 hours the participants will receive a theoretical base and practical skills for working in Splunk. Learn more about learning and register at this link .
Source: https://habr.com/ru/post/351038/
All Articles