NetWitness Community

Anonymous · ‎2023-11-01

I have an ESA rule that generates an email notification when meta is generated in the 'alert' meta key.

I want to put able to use part of the meta information in the alert to customise the email subject header so there is more context in it.

Is this possible.

JohnKisner · ‎2023-11-01

JeremyKerwin,

Please take a look at the following documentation concerning email templates and the ESA. https://community.netwitness.com/t5/netwitness-platform-online/define-a-template-for-esa-alert-notifications/ta-p/669711

In here it talks about how to access the meta from your alerts to add them to templates. As you can see it mentions an events array along with meta data that is associated with the alert itself, like the alert name, etc. For your situation I believe it would be something like ${events[0].alert} to capture the alert metakey from the first alert that was seen that fires off the email template.

I hope this helps provide the guidance you are looking for.

View solution in original post

JohnKisner · ‎2023-11-20

Excellent @Anonymous . I'm glad to hear that has worked. What made me think of this variation is that when a meta key has more than one result in it, you usually have to use the indexing on the end of the key. Thus using alert[0] makes sure that you are using the first item within the meta key of alert. I know NetWitness tends to use the Alert meta key for a lot of things.

I suspect you can use this with any other meta key that has multiple saved items in a single meta key for a single event.

View solution in original post

JohnKisner · ‎2023-11-01

JeremyKerwin,

Please take a look at the following documentation concerning email templates and the ESA. https://community.netwitness.com/t5/netwitness-platform-online/define-a-template-for-esa-alert-notifications/ta-p/669711

In here it talks about how to access the meta from your alerts to add them to templates. As you can see it mentions an events array along with meta data that is associated with the alert itself, like the alert name, etc. For your situation I believe it would be something like ${events[0].alert} to capture the alert metakey from the first alert that was seen that fires off the email template.

I hope this helps provide the guidance you are looking for.

Anonymous · ‎2023-11-14

Thanks @JohnKisner that seems to work for most meta keys, but for some reason if I use ${events[0].alert} in one particular email notifcation as the part of the subject line, it stops all email notification for that alert. it's weird, it's the only key that seems to do this.

JohnKisner · ‎2023-11-14

Hello JeremyKerwin,

I've been looking through our knowledge base articles, support cases, and Engineering cases. I haven't been able to tease out anything specifically about the alert meta field. What version of NetWitness are you currently on as that may allow me to focus my search to find something. Otherwise it is possible that you have ran into a bug dealing with the alert meta key and email templates.

Anonymous · ‎2023-11-14

We're currently running 12.3.0 about to go to 12.3.1

JohnKisner · ‎2023-11-14

JeremyKerwin,

I've put this question to our internal groups to see if this is a known issue or if there is some other explanation for this behavior. It is outside of my own experience so let me see if I can get some information for you around this one. I'll need a few days to see if I can get some responses from the rest of NetWitness.

JohnKisner · ‎2023-11-17

Jeremy,

I've put your question to several groups within NetWitness. So far I have not received any information that this is a known issue or feature. This may require more in depth investigation between our Support organization and Engineering. I have one more place I would like to check, but given it is Friday it may take a few more days to see if I can get an additional response. Thank you for your patience.

JohnKisner · ‎2023-11-17

Jeremy,

I have an email out to Engineering to see if they can provide some information for this question. However, while writing the email I got to thinking. The alert meta that you are wanting to appear in your template, are there more than one piece of information saved in the alert meta key? What I mean is, maybe the syntax should be ${events[0].alert[0]}. Can you try that in your template and see if that allows it to work correctly.

Anonymous · ‎2023-11-18

Hi @JohnKisner I think you figured it out. by adding the suggested syntax ${events[0].alert[0]} seems to work. I tested the notification and the alert meta is now being displayed in the subject line.

Thanks for your help

JohnKisner · ‎2023-11-20

Excellent @Anonymous . I'm glad to hear that has worked. What made me think of this variation is that when a meta key has more than one result in it, you usually have to use the indexing on the end of the key. Thus using alert[0] makes sure that you are using the first item within the meta key of alert. I know NetWitness tends to use the Alert meta key for a lot of things.

I suspect you can use this with any other meta key that has multiple saved items in a single meta key for a single event.

NetWitness Community

Using meta in email notification subject line.