Hello,
I am trying to send custom email alert if there is any SQL Injection has been done on our Websites.
`fidelis_get_xps_event` | search tag=initial_compromise | eval Severity=lower(Severity) | table _time Target Severity AlertId hostIp eventtype | search eventtype="incoming_sql_injection" | chart dc(AlertId) as count by hostIp
| eval check=case(isnull(hostIp),1) | search check=0 | sendemail to=farrukh@example.com from=splunk@example.com subject="SQL Injection" server=smtp.example.com
The condition i am checking is 15 minute time for the search and checking if the hostIp is not null. It should not send an email if the check=0 but its keep sending an email.
Thank you.
↧