NetWitness Community

RenatoGoncalves · ‎2019-04-29

We need to send emails with the opening of a incident.

For now we can only receive an template like this:

But with this we dont get any useful information. Is it possible to edit the template and receive something like this:

Anyone have done it?

JoshRandall · ‎2019-04-30

Hi Renato,

I haven't been able to figure out a workaround for modifying the "Incident Created/Updated” email templates.

I'll keep looking into it, but in the meantime would an ESA Alert output email with the alert data meet your requirements?

Mr. Mongo

RenatoGoncalves · ‎2019-05-07

Hello Joshua,

The thing is that in want to to some correlation and its a little bit easier ( for someone who does not know EPL very well ) to do it.

For example if an IP could be in Alert for DDoS Attack with one request and have another in a SQLI for example. We want an incident that can look for the IP and correlate both alerts. With Incidents we can choose both ESA alerts.

PunithRajanna · ‎2021-05-20

Hi @RenatoGoncalves @JoshRandall ,

I am also looking for a similar solution. Where customer want to send a email notification of the incident creation and update. Please share me the solution if already found. Else any document that we can refer to achieve this task.

JoshRandall · ‎2021-05-20

@PunithRajanna

I put together a blog describing how to do this. You can find it here: https://community.rsa.com/t5/rsa-netwitness-platform-blog/customizing-respond-incident-notification-emails/ba-p/520244

Mr. Mongo

PunithRajanna · ‎2021-05-21

Hi @JoshRandall ,

Thanks for the update.

I have read the shared article. But my customer requirement is to get the meta details in the email instead of having the link when the incident is created.

My Customer has configured the incident notification to get the email. But they are not getting the complete incident details. they only got Incident name, incident status and Severity. They need more meta details to be included in the email notification.

Please share some light on how to accomplish this task

JoshRandall · ‎2021-05-21

@PunithRajanna

There is no way to include that information in the email that I know of. The comments in that blog discuss the same issue.

Mr. Mongo

PunithRajanna · ‎2021-05-21

Hi @JoshRandall ,

Customer has integrated the serviceNow with RSA netwitness using below implementation guide.

https://community.rsa.com/t5/rsa-netwitness-platform/servicenow-itsm-rsa-netwitness-implementation-guide/ta-p/564424

But this guide was written for older version of RSA netwitness(probably 10.X version ). The customer is using 11.4.1. Here the glitch is we are not getting the option to edit the incident creation template.

So my question is what template we need to edit and how we map that template to use for email notification its a big question for me.

Please help me if you are aware of any such implementation.

Regards,

Punith.R

JoshRandall · ‎2021-05-21

Like I've already said - that blog shows how to edit the incident create/update email templates. But there is currently no way to include any of the incident/alert metadata within those emails.

Mr. Mongo

NetWitness Community

Incident Template