This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Custom Incidents Messages

YossiNagar
Beginner
Beginner

‎2016-12-13 03:12 AM

Hi guys,

 

I was asked by my manager to customize the messages that we getting from the Incident manager so he could see more data in the mail notification, instead of logging into the Incident manager at the SA UI.

 

Since I'm not that familiar with code, can someone please share his notification template so i could deploy it on my machine? I thing it'll be useful for another few people here..

 

If there are already some template , please direct me to it.

 

Appreciate that, 

Yossi.

4 REPLIES 4

RomanZeltser
Beginner
Beginner

‎2017-02-03 09:39 AM

Yossi, I don't have the template. I simply name my reports with very detailed names (i.e. "Alert: logging with sql-acct from non-SQL device"). Not sure it helps but may assist to recognize the problem.

0 Likes

YossiNagar
Beginner
Beginner
In response to RomanZeltser

‎2017-02-05 04:54 AM

Hi Roman,

 

Thanks for your replay.


I have no problem to understand the alerts because i'm creating the incidents & alerts, the problem is with the other users that getting the alerts to the mail, i want them to understand what exactly happen without logging to the UI to check.


I think what I need is like the incident manager will parse the message and put part of it in the message, so I could decide what will be inside the alert.
I can see an option to edit a template under Incidents > Configure > Notifications. There is an option ther to make Edit to the Template, let me know if i'm wrong.

 

Thank you,

Yossi.

0 Likes

RomanZeltser
Beginner
Beginner
In response to YossiNagar

‎2017-02-06 09:02 AM

I can’t suggest you anything on a Template. The only simple way is to spell out the problem is in the NAME of the report/alert itself.

 

 

===============

Roman Zeltser

Sr. IM Security Analyst

CDR Associates

 

307 International Circle

Suite 300

Hunt Valley, MD 21030

P: 410-560-2269 x.1261

rzeltser@cdrassociates.com<mailto:rzeltser@cdrassociates.com>

Preview file
2 KB
0 Likes

VladimirPrevin
Beginner
Beginner

‎2017-02-11 04:16 AM

having the same problem.

 

could anyone find a link to the global notification template syntax for 10.6.2 (if that exists)

with some basic examples of specifying IM notification body

a) testing for including meta detail or nothing if null,

b) array unrolling (e.g. alias host),

c) getting meta out of alerts with multiple esa events inside, etc.

d) getting meta out of esa alerts with multiple events when the order is not known (sometimes if 2 logs are syslogged within the very short time period this happens)

 

at the moment we do it with python scripts for ESA but i have not the faintest idea how to do that for IM .

then there's this problem https://community.rsa.com/thread/190285 

 

The reason why we want to use use im for this is the group by aggregation for incident management [basically to suppress duplicate alerts]. Doing it directly to ESA alert is not a good idea as it seems like alerts of the same type within that time period will go missing.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.