Add Notification Method to a Rule

This topic tells administrators how to add a notification, such as email, to a rule. ESA uses the notification method when it generates an alert for an event that meets rule criteria.

You add a notification to a rule so ESA can let you know when a rule triggers an alert. Although the notification fields are not required, it is a best practice to add a notification to a rule.

When you add a notification method to a rule, you select the following information:

  • Output
  • Notification
  • Notification Server
  • Template

Prerequisites

  • Your role must have permission to manage rules.
  • The rule must exist.
  • The notification method must be configured with a supported server and template:

    Go to netwitness_adminicon_25x22.png (Admin) > System > Global Notifications.

    For detailed procedures, see the System Configuration Guide.

Add a Notification Method to a Rule

  1. Go to netwitness_configureicon_24x21.png (Configure) > ESA Rules > Rules tab.
  2. In the Rule Library, click netwitness_ic-addlist.png to add a new rule or select an existing rule and click netwitness_ic-edit.png.
    Depending on the rule type, the Rule Builder or Advanced EPL tab is displayed.
    The Notifications section is the same for both tabs.
    netwitness_notificationblank_576x83.png
  3. Click netwitness_ic-addlist.png and select the Output for the alert:
  • Email
  • SNMP (This option is not supported in NetWitness 11.3 and later.)
  • Syslog
  • Script
  1. Double-click the Notification field and select the name of a previously configured output.
    For example, Level 1 Analyst could be the name of an email notification that goes to the L1-Analysts email distribution group.
  2. Double-click the Notification Server field and select the server that sends the notification.
  3. Double-click the Template field and select a format for the alert.
    The following figure shows the settings for a Syslog notification.
    netwitness_notificationadded_576x81.png
  4. If you want to specify frequency, select Output Suppression, then enter the number of minutes.
  5. If you want to add another notification, repeat steps 3-7.
  6. Click Save.
    When ESA generates an alert for an event that matches the rule criteria, you will be notified of the alert via each notification method added to the rule.