FortiSIEM Sending Email and SMS Notifications for Incidents

Sending Email and SMS Notifications for Incidents

When you set actions for an incident notification, one option is to send an email or SMS message to groups or individuals, and you also have an option to specify a template that should be used in the email.

Prerequisites

Procedure

Related Links

Prerequisites

Make sure the email gateway has been configured for your deployment.

You should also have set up any email templates that you want to use for notifications.

Procedure

  1. Log in to your Supervisor node.
  2. Go to Analytics > Incident Notification Policy.
  3. Select the policy that you want to set up the email or SMS notification for.
  4. Under Actions, next to the email/sms notification table, click .
  5. For multi-tenant deployments, select the Organization that contains the individuals or groups you want notified.

Under Folders, you will see the user groups for that organization listed.

  1. In the Folders pane, select a group.

In the Items pane, you will see a list of users for that group.

  1. Select a group and click Folder >> to add a group to the Notification Actions list, or select individual users and click Items >>.
  2. Under Notification Actions, select the Method, Email or SMS, that you want to use sending the notification.
  3. Select an Email Template if you are sending an email notification. If you leave this blank, the default email template will be used.

Related Links

Setting Up the Email Gateway

Setting Scripts as Notification Actions

Customizing Email Templates for Notifications

Email templates for incident notifications are based on incident variables that you put into the subject and body of the template, which are then populated with the actual attribute values in the incident.

Incident Attribute Variables

Example Email Template

Template

Generated Email

Creating an Email Template

Incident Attribute Variables

These are the incident attribute variables you can use for your email template.

$organization

$status

$hostName

$incidentId

$incidentTime

$firstSeenTime

$lastSeenTime

$incident_severityCat

$incident_severity

$incident_incidentCount

$ruleName

$ruleDescription

$incident_source

$incident_target

$incident_detail

$affectedBizService

Example Email Template

This example first shows a template with the incident attribute variables, and then an email based on this template with the variables populated from an incident.

Template

Email Subject:

$ruleName was triggered at $incidentTime

Email Body:

The host, $incident_target, was being scanned by $incident_source starting at $firstSeenTime and ending at $lastSeenTime. There were $incident_incidentCount hits.

Please investigate and report as necessary.

Generated Email

Subject: Server Memory Warning was triggered at Jan 10 22:43 UTC

Body: The host, Host IP: 192.168.1.23 Host Name: QA-V-WIN03-ORCL, was being scanned by 10.1.1.1 starting at Jan 10 22:05 UTC and ending at Jan 10 22:11 UTC. There were 2 hits.

Please investigate and report as necessary.

Creating an Email Template

  1. Log in to your Supervisor node.
  2. Go to Admin > General Settings > Incident Email Templates.
  3. Click Add.
  4. For multi-tenant deployments, select the organization for which you are creating the email template.
  5. Enter a Name for the template.
  6. Enter the Email Subject and Email Body.

You can select attribute variables from the Insert Content menu to enter into your template, rather than having to type them out by hand.

 

  1. Click OK.

be used. To set an email template as default, select the template in the list on the Incident Email Templates page, and then click Set as Default. For multi-tenant deployments, to select a template as default for an organization, first select the organization, then set the default email template for that organization.

 

 

 

 

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “FortiSIEM Sending Email and SMS Notifications for Incidents

  1. Mohammed Anis

    Hi,
    I did follow the attributes and they are working fine. How ever I have some more attributes which I want to display in the email like for e.g. Cve id , Vulnerability name and lets just say a custom string. How to create more attributes for email notification?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.