Configure Incident Notification SettingsConfigure Incident Notification Settings
Incident notification settings enable notifications to be sent to SOC Managers and the Analyst assigned to an incident when an incident is created or updated. You can configure incident notification setting with Email Notification Settings and Syslog Notification Settings.
Email Notification SettingsEmail Notification Settings
Administrators can configure email notification settings in the Configure > INCIDENT NOTIFICATIONS > Email Notification Settings view to receive email notifications when:
-
An incident is updated.
-
An incident is created.
To configure email notification settings:To configure email notification settings:
-
Go to (Configure) > Incident Notifications.
The Email Notification Settings view is displayed.
- In the Server Name section, select the email server from the drop-down list that will send out email notifications when the notification settings are enabled. If there is no email server configured, you do not see an email server listed in the drop-down list. You have to configure an email server before you can continue with this procedure. To configure an email server, click the Global Notifications link and go to the Servers tab. For more information, see System Configuration Guide. Go to the NetWitness All Versions Documents page and find NetWitness Platform guides to troubleshoot issues.
-
Select the email template from the Template drop-down list.
Note: NetWitness Platform XDR provides out-of-the-box Default Respond SMTP Template.
- NetWitness Platform XDR provides Default Respond SMTP Template out of the box.
- Click the Global Notifications link in the Email Notification Settings view (Configure > Incident Notifications > Email Notification Settings) to create or modify the email notification template. -
In the SOC Manager Email Address section, add the email addresses of the SOC Managers that you want to receive email notifications. To add an SOC Manager email address to the list, type it in the field that shows Enter an email address to add and click Add. To remove an SOC Manager email address from the list, click next to the email address to be removed.
- Select one of the following options and specify who should receive an email notification when an incident is created and when an incident is updated.
- Send to Assignee: An email is sent to the Analyst assigned to the incident.
- Send to SOC Manager: An email is sent to all of the addresses listed in the SOC Manager Email Addresses list.
- Click Save. Changes take effect immediately.
Note:
- Save button is enabled only when you select both email server and email template. Refer the following figure.
- If user email address information is updated in the (Admin) > Security > Users tab, it can take up to two minutes for the new email changes to take effect. Any incident creation or incident update email notifications sent during this time go to the old email address.
- If you delete or disable the selected email server or delete the email template, the Email Notification Settings are reset. You must re-configure the email notification server and template.
Upgrade ConsiderationsUpgrade Considerations
In 12.2, the new Template field is added in the Email Notification Settings view with Default Respond SMTP Template as the default template in it. You can select the pre-configured custom email notification template after upgrading to 12.2 from 12.1 or older versions. To modify the email notification template, click the Global Notifications link in the Email Notification Settings view (Configure > Incident Notifications > Email Notification Settings).
Syslog Notification SettingsSyslog Notification Settings
Administrators can configure syslog notification settings in the Configure > INCIDENT NOTIFICATIONS > Syslog Notification Settings view to receive syslog notifications when:
-
An Incident is updated.
-
An incident is created.
To configure syslog notification settings:To configure syslog notification settings:
-
Go to Configure > INCIDENT NOTIFICATIONS > Syslog Notification Settings view.
-
Select the Syslog Server Name from the SERVER NAME drop-down list.
-
Select the Syslog template from the TEMPLATE drop-down list.
-
Select one of the following checkboxes:
-
Updated: Select this check box to receive Syslog notifications when an Incident is updated.
-
Created: Select this check box to receive Syslog notifications when an Incident is created.
You can select both the checkboxes to receive Syslog notifications when an Incident is updated or created.
-
Click Save.
Note: Save button is enabled only when you select both Syslog Server and Syslog Template. Refer the following figure.
Note:
- Click the Global Notifications link in the Syslog Notification Settings view (Configure > INCIDENT NOTIFICATIONS > Syslog Notification Settings) to create or modify the Syslog notification server and template.
- For information regarding the Syslog notification server and template configuration in the Global Notifications panel, refer Configure a Syslog Notification Server and Configure Templates for Notifications.
- If you delete or disable the selected Syslog server or delete the Syslog template, the Syslog Notification Settings are reset. You must re-configure the Syslog notification server and template.
Refresh Global Notification SettingsRefresh Global Notification Settings
When you click the Global Notifications link , the Refresh button is displayed in the Incident Notification Settings view. Once you click the Refresh button, all the incident notification settings are refreshed with the updated information.