Splunk Enterprise Security

How to integrate email alerts into splunk

naregayam
New Member

Hi,

I want to integrate emails from particular DL into splunk and splunk should create alerts for that traffic.

0 Karma
1 Solution

KARANMALHOTRA
Path Finder

You can use this addon [TA-mailclient][1]

[1]: http://qw https://splunkbase.splunk.com/app/3200/

We have used it in the past to get emails from a mailbox and then create alerts based on it.

It works well and you only need email server name and credentials for the mailbox to make it work.

As you are getting emails to your own DL, I would suggest creating a separate mailbox and having the mails sent to it. The addon can read it and create the events.

Keep in mind that this uses IMAP/POP3, so check with your exchange/security admins before implementing.

View solution in original post

0 Karma

KARANMALHOTRA
Path Finder

You can use this addon [TA-mailclient][1]

[1]: http://qw https://splunkbase.splunk.com/app/3200/

We have used it in the past to get emails from a mailbox and then create alerts based on it.

It works well and you only need email server name and credentials for the mailbox to make it work.

As you are getting emails to your own DL, I would suggest creating a separate mailbox and having the mails sent to it. The addon can read it and create the events.

Keep in mind that this uses IMAP/POP3, so check with your exchange/security admins before implementing.

0 Karma

sandyIscream
Communicator

@naregayam Please have a look at these apps below.

https://splunkbase.splunk.com/app/3720/

https://splunkbase.splunk.com/app/1739/

Also go through the link to save the mails into a file and then have it monitored via Splunk.

https://www.techhit.com/messagesave/help/saving-outlook-messages.html

0 Karma

jawaharas
Motivator

Can you elaborate your requirement again?

You need Splunk to alert to you whenever an email has been send to particular email distribution list?

0 Karma

naregayam
New Member

Hi jawaharas, Yes your understanding is correct

When we get a mail from "Threat hunt team" with details like Attack name, attack sources, IOC's, Hash files, Attack description, Recommendation.

That mail needs to integrate with Splunk and when ever we got mail to our outlook that mail needs to get to splunk and splunk needs to create alert based on the data collected and attached files in the mail. And this IOC's need to be monitored by splunk and we need alert whenever there is an Traffic observed by splunk.

0 Karma

tk111
Engager

@naregayam did you find a solution that met your requirements? I'm looking to do something very similar, but having trouble finding something that would work with Exchange. 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...