Sending Email and SMS Notifications for Incidents
When you set actions for an incident notification, one option is to send an email or SMS message to groups or individuals, and you also have an option to specify a template that should be used in the email.
Prerequisites
Procedure
Related Links
Prerequisites
Make sure the email gateway has been configured for your deployment.
You should also have set up any email templates that you want to use for notifications.
Procedure
- Log in to your Supervisor node.
- Go to Analytics > Incident Notification Policy.
- Select the policy that you want to set up the email or SMS notification for.
- Under Actions, next to the email/sms notification table, click … .
- For multi-tenant deployments, select the Organization that contains the individuals or groups you want notified.
Under Folders, you will see the user groups for that organization listed.
- In the Folders pane, select a group.
In the Items pane, you will see a list of users for that group.
- Select a group and click Folder >> to add a group to the Notification Actions list, or select individual users and click Items >>.
- Under Notification Actions, select the Method, Email or SMS, that you want to use sending the notification.
- Select an Email Template if you are sending an email notification. If you leave this blank, the default email template will be used.
Related Links
Setting Up the Email Gateway
Setting Scripts as Notification Actions
Customizing Email Templates for Notifications
Email templates for incident notifications are based on incident variables that you put into the subject and body of the template, which are then populated with the actual attribute values in the incident.
Incident Attribute Variables
Example Email Template
Template
Generated Email
Creating an Email Template
Incident Attribute Variables
These are the incident attribute variables you can use for your email template.
$organization
$status
$hostName
$incidentId
$incidentTime
$firstSeenTime
$lastSeenTime
$incident_severityCat
$incident_severity
$incident_incidentCount
$ruleName
$ruleDescription
$incident_source
$incident_target
$incident_detail
$affectedBizService
Example Email Template
This example first shows a template with the incident attribute variables, and then an email based on this template with the variables populated from an incident.
Template
Email Subject:
$ruleName was triggered at $incidentTime
Email Body:
The host, $incident_target, was being scanned by $incident_source starting at $firstSeenTime and ending at $lastSeenTime. There were $incident_incidentCount hits.
Please investigate and report as necessary.
Generated Email
Subject: Server Memory Warning was triggered at Jan 10 22:43 UTC
Body: The host, Host IP: 192.168.1.23 Host Name: QA-V-WIN03-ORCL, was being scanned by 10.1.1.1 starting at Jan 10 22:05 UTC and ending at Jan 10 22:11 UTC. There were 2 hits.
Please investigate and report as necessary.
Creating an Email Template
- Log in to your Supervisor node.
- Go to Admin > General Settings > Incident Email Templates.
- Click Add.
- For multi-tenant deployments, select the organization for which you are creating the email template.
- Enter a Name for the template.
- Enter the Email Subject and Email Body.
You can select attribute variables from the Insert Content menu to enter into your template, rather than having to type them out by hand.
- Click OK.
be used. To set an email template as default, select the template in the list on the Incident Email Templates page, and then click Set as Default. For multi-tenant deployments, to select a template as default for an organization, first select the organization, then set the default email template for that organization.
Hi,
I did follow the attributes and they are working fine. How ever I have some more attributes which I want to display in the email like for e.g. Cve id , Vulnerability name and lets just say a custom string. How to create more attributes for email notification?