Adding Emojis in Splunk Alerts and Slack Messages

Working with Splunk and Slack

If you work for a company on the Security team, you probably have some SIEM that you collect event logs into, and create alerts for patterns in the logs and these alerts get sent to some system that alerts the team to start investigating. This is pretty standard for most SOC’s.

I have been fortunate enough to work at some companies that use Splunk for the SIEM and Slack for receiving notable alerts from Splunk. As you know, these services are expensive, so if you have either of these, consider yourself rich in the world of logging events and receiving alerts!

I have a ton of experience in Splunk, everything from architecture, building custom Splunk apps, alerting and monitoring, I actually enjoy it a lot. Same with Slack, I have spent a lot of time learning their API, creating bots, customizing message attachments, all that fun stuff.

What I hope to teach you here is now to spice up those alerts! However, it might seem silly that this article is about using emojis in alerts, but trust me, your team will love it! It gets boring looking at the same bland old timestamped text alerts with no differentiation between them.

Splunk Query Example

Let’s talk about using the case function in Splunk. This is one of the easiest ways to get started

Here is a simple example query


index=main EventCode=4624 OR EventCode=4625

|eval Account_Name=mvindex(Account_Name, 0),
        Account_Domain=mvindex(Account_Domain, 0)

| table _time, EventCode, Account_Name, Account_Domain, Source_Network_Address, action


The code above is a straightforward query that is going to give you all of the Windows Event Log Success and Failed login events and pull a few fields out and give you a pretty table as the results.

Adding Emojis To Splunk Tables and Alert Emails

Let’s update this and add some emojis!

index=main EventCode=4624 OR EventCode=4625

|eval Account_Name=mvindex(Account_Name, 0),
        Account_Domain=mvindex(Account_Domain, 0)

| eval action=case(
       EventCode="4624","Has Successfuly Logged In! 😎",
       EventCode="4625","Has Failed To Login! 😰")

| table _time, EventCode, Account_Name, Account_Domain, Source_Network_Address, action

Look at that! This is awesome.

For now, you can ignore the eval with the mvindex, all we are doing there is grabbing the first instance of the Account_Name and Account_Domain field in the logon event, otherwise, it adds both of them to the table and it looks bad.

What we did in the case statement is tell Splunk that if the event code is 4624, add a field called ‘action’ with this text specified. I’m sure by now you can see where I’m going with this!

The case above is great for emailed alerts. It will add a little fun to them, but I suggest that you don’t go too crazy with it otherwise your boss might make you stop. I would suggest introducing this slowly into your monitoring alerts! πŸ™‚

Sending Custom Messages to Slack with Emojis

The ultimate setup! If you’re using Slack and the Splunk Slack App, you can select to send alerts to Slack when you’re setting up the alerts. There are really only two things you need to add when creating a message that goes to Slack. The channel name, and the message. You can create a message that looks like this that would send the above messages about user logins to Slack.

The User $result.Account_Name$ $result.action$ 
_$description$_
`Time: $result.alert_time$`
>*Domain:* $result.Account_Domain$
>*IP:* $result.Source_Network_Address$

This is one way to do it and you control the emoji from the Splunk Query.

The other way is to ignore the case statement and just add the emojis directly in the Slack Message.

Here is an example of this:

The User $result.Account_Name$ has loggedin successfuly! 😎
_$description$_
`Time: $result.alert_time$`
>*Domain:* $result.Account_Domain$
>*IP:* $result.Source_Network_Address$

Another thing I do is add emojis to the front if the text on the first line to indicate the severity. You can standardize this if you document it somewhere internally along with your processes for creating alerts!

🚨 The User $result.Account_Name$ has a failed login event! 😰
_$description$_
`Time: $result.alert_time$`
>*Domain:* $result.Account_Domain$
>*IP:* $result.Source_Network_Address$

That was a good time! I shared these few examples but I hope this helps get you thinking about adding a little fun to your SOC and Security Program. Let me know if you have any questions or if you need any clarification on anything down in the comments section. I’m always here to help!

Latest articles

Related articles

Leave a reply

Please enter your comment!
Please enter your name here