2016-12-13 03:12 AM
Hi guys,
I was asked by my manager to customize the messages that we getting from the Incident manager so he could see more data in the mail notification, instead of logging into the Incident manager at the SA UI.
Since I'm not that familiar with code, can someone please share his notification template so i could deploy it on my machine? I thing it'll be useful for another few people here..
If there are already some template , please direct me to it.
Appreciate that,
Yossi.
2017-02-03 09:39 AM
Yossi, I don't have the template. I simply name my reports with very detailed names (i.e. "Alert: logging with sql-acct from non-SQL device"). Not sure it helps but may assist to recognize the problem.
2017-02-05 04:54 AM
Hi Roman,
Thanks for your replay.
I have no problem to understand the alerts because i'm creating the incidents & alerts, the problem is with the other users that getting the alerts to the mail, i want them to understand what exactly happen without logging to the UI to check.
I think what I need is like the incident manager will parse the message and put part of it in the message, so I could decide what will be inside the alert.
I can see an option to edit a template under Incidents > Configure > Notifications. There is an option ther to make Edit to the Template, let me know if i'm wrong.
Thank you,
Yossi.
2017-02-06 09:02 AM
I can’t suggest you anything on a Template. The only simple way is to spell out the problem is in the NAME of the report/alert itself.
===============
Roman Zeltser
Sr. IM Security Analyst
CDR Associates
307 International Circle
Suite 300
Hunt Valley, MD 21030
P: 410-560-2269 x.1261
rzeltser@cdrassociates.com<mailto:rzeltser@cdrassociates.com>
2017-02-11 04:16 AM
having the same problem.
could anyone find a link to the global notification template syntax for 10.6.2 (if that exists)
with some basic examples of specifying IM notification body
a) testing for including meta detail or nothing if null,
b) array unrolling (e.g. alias host),
c) getting meta out of alerts with multiple esa events inside, etc.
d) getting meta out of esa alerts with multiple events when the order is not known (sometimes if 2 logs are syslogged within the very short time period this happens)
at the moment we do it with python scripts for ESA but i have not the faintest idea how to do that for IM .
then there's this problem https://community.rsa.com/thread/190285
The reason why we want to use use im for this is the group by aggregation for incident management [basically to suppress duplicate alerts]. Doing it directly to ESA alert is not a good idea as it seems like alerts of the same type within that time period will go missing.