Manage an Alert and Alert Template

You can manage alerts, scheduled alerts, and alert templates using the following procedures.

Manage an Alert

Depending on the access permissions set for the user role, you can modify or delete, import and export, enable or disable alerts, view or refresh an alert list.

Access Control for an Alert When a Single Alert is Selected

To set access permissions for an alert:

  1. Go to Reports.
    The Manage tab is displayed.
  2. Click Alerts.
    The Alert view is displayed.
  3. In the Alert panel, select an alert.
  4. Click netwitness_options_button.png > Permissions.
    The Alert Permissions dialog box is displayed.
  5. Based on the user role, select the appropriate options.
  6. (Optional) Select the checkbox if you want to automatically provide read access permission to dependent rules.

Note: When the check box is selected, all dependent rules with the No access permission will be given the READ access permission.

  1. Click Save.
    A confirmation message that the permission is successfully set for the selected alert is displayed.

Access Control for an Alert When Multiple Alerts are Selected

To change permissions of multiple alerts:

  1. In the Alerts panel, select all the alerts whose permissions must be set.
  2. Click > Permissions.
    The Alert Permissions dialog box is displayed.
  3. Select the permission to set for the respective user role.
  4. Click Save.
    A confirmation message that the permission is successfully set for all the selected alerts is displayed.

Edit an Alert

For example, if you want to be notified about the alert over an email on a different Email ID, you will have to modify the alert notification section with the new Email ID details to be reverted over an email when an alert is generated. Additionally, you can also modify the alert description and alert notification in the Create or Modify Alert panel.

To edit an alert:

  1. Go to Reports.
    The Manage tab is displayed.
  2. Click Alerts.
    The Alert view is displayed.
  3. In the Alert panel, select an alert and click netwitness_edit.png.
    The Create or Modify Alert tab is displayed.
    netwitness_edit_alert.png

  4. In the Rule Basis field, navigate the rule tree and select another rule.
    The Rule name is displayed in the Rule Basis field.

  5. (Optional) Select a data source from the Data Sources drop-down list.

    Note: If the data source is not listed, then ensure you have Read permissions set for the data source. This is applicable for NWDB and Warehouse data source. For more information, see "Configure Data Source Permissions" topic in the Host and Services Configuration Guide.

  6. (Optional) Modify the alert description in the Description field.
  7. Modify the appropriate Notification tabs – RECORD, SMTP, SNMP, and Syslog.
  8. Click Save.
    A confirmation message that the alert is modified successfully is displayed.

Delete an Alert

To delete an alert:

  1. Go to Reports.
    The Manage tab is displayed.
  2. Click Alerts.
    The Alert view is displayed.
  3. In the Alert panel, select the alert and click netwitness_delete_icon.png.
    A warning dialog asks for confirmation that you want to remove the selected alerts.
    netwitness_del_warning_message.png
  4. Click Yes to delete the alert.
    A confirmation message that the alert is deleted successfully is displayed and the selected alert is deleted from the Alert panel.

Import an Alert

To import an alert from other instances of NetWitness in the Alerts panel:

  1. Go to Reports.
    The Manage tab is displayed.
  2. Click Alerts.
    The Alert view is displayed.
  3. In the Alert toolbar, click netwitness_options_button.png > Import.
    The Import Alert dialog box is displayed.
  4. Click Browse to select the binary file.
    NetWitness provides a file system view of the files. You can import multiple alerts at a time. To select multiple alerts, select the checkbox of the alert to be imported.
  5. Locate the binary file, and click Open.
    The file is added to the Import Alert list.
  6. (Optional) To overwrite any existing alert in the library with an identically named alert in the binary file when importing, select the Alert checkbox. If you do not select the Overwrite option, and an identical alert is encountered in the binary file, the binary file is imported and no error message is displayed.
  7. Click Import to import the binary file.

Export an Alert

To export an alert to an external file that can be later imported to NetWitness:

  1. Go to Reports.
    The Manage tab is displayed.
  2. Click Alerts.
    The Alert view is displayed.
  3. In the Alert panel, select an alert and click netwitness_options_button.png and do one of the following:
    • Export - This selection exports an alert in a .zip file.
    • Export as Text - This selection exports all the content from the Reporting Engine in a .zip file which contains the data in text format.

      You can export multiple alerts at a time. To select multiple alerts, check the checkbox of the alert to be exported.

  4. Click netwitness_options_button.png > Export.
    The exported binary file is saved to the local drive.

Enable an Alert

To enable an alert:

  1. Go to Reports.
    The Manage tab is displayed.
  2. Click Alerts.
    The Alert view is displayed.
  3. In the Alert panel, select the alert that displays netwitness_disable_button.png in the Enabled column.
  4. Click netwitness_enableicon.png.
    A confirmation message shows that the change to the alert(s) state was successful.

Disable an Alert

To disable an alert:

  1. Go to Reports.
    The Manage tab is displayed.

  2. Click Alerts.
    The Alert view is displayed.

  3. In the Alert panel, select the alert that displays netwitness_greencir.png in the Enabled column.

  4. Click netwitness_ic-disable.png.
    A confirmation message shows that the alert(s) status is changed successfully.

View an Alert List

To view an alert list:

  1. Go to Reports.
    The Manage tab is displayed.
  2. Click Alerts.
    The Alert view is displayed.
  3. In the Alert toolbar, click View Alerts.
    The View Alerts view tab is displayed.
  4. Select the last number of days from the drop-down list.

  5. Enter a value for the Max no of alerts.
    The alerts list is displayed based on the chosen filter value.

Refresh an Alert List

To refresh the list of alerts:

  1. Go to Reports.
    The Manage tab is displayed.
  2. Click Alerts.
    The Alert view is displayed.

  3. From the Alert toolbar, click netwitness_refresh.pngto refresh the alerts list.
    The Alert panel is refreshed.

Manage a Scheduled Alert

You can enable or disable a scheduled alert, and view all scheduled alerts.

Enable a Scheduled Alert

To enable a scheduled alert:

  1. Go to Reports.
    The Manage tab is displayed.

  2. Click Alerts.
    The Alert view is displayed.

  3. Click netwitness_view_schd_icon.png.
    The View Alerts Schedule view tab is displayed.
  4. In the Alerts Schedule List panel, select the scheduled alert (s) to be enabled.

  5. Click netwitness_enable_button.png.
    A confirmation message indicates that the alert(s) status is changed successfully and the alert is now available in the Alert panel.

Disable a Scheduled Alert

To disable a scheduled alert:

  1. Go to Reports.
    The Manage tab is displayed.

  2. Click Alerts.
    The Alert view is displayed.

  3. Click netwitness_view_schd_icon.png.
    The View Alerts Schedule view tab is displayed.
  4. In the Alerts Schedule List panel, select the scheduled alert (s) to be disabled.

  5. Click netwitness_disable_button.png.
    A confirmation message indicates that the alert(s) status is changed successfully and the alert is now available in the Alert panel.

View all Alerts Scheduled

To view all the alerts scheduled:

  1. Go to Reports.
    The Manage tab is displayed.
  2. Click Alerts.
    The Alert view is displayed.
  3. In the Alert toolbar, click View Schedule.
    The View Alerts Schedule view is displayed with a list of all the scheduled alerts.

Manage an Alert Template

You can modify or delete an alert template, and view all alert templates.

Edit an Alert Template

To edit an alert template:

  1. Go to Reports.
    The Manage tab is displayed.
  2. Click Alerts.
    The Alert view is displayed.
  3. Click netwitness_template_button_81x19.png.
    The Alert Template view is displayed.
  4. In the Alert Template panel, select a template and click netwitness_edit.png.
    The Create/Modify Template dialog box is displayed.
  5. Click Save.
    A confirmation message that the template is modified successfully is displayed.

Delete an Alert Template

To delete an alert template:

  1. Go to Reports.
    The Manage tab is displayed.
  2. Click Alerts.
    The Alert view is displayed.
  3. Click netwitness_template_button_81x19.png.
    The Template view tab is displayed.
  4. In the Alert Template panel, select a template and clicknetwitness_delete_icon.png.
    A confirmation dialog is displayed.
    netwitness_del_template_warning_msg.png
  5. Click Yes to delete the template.
    A confirmation message that the template is deleted successfully is displayed.

View all Alert Templates

To view all alert template messages:

  1. Go to Reports.
    The Manage tab is displayed.
  2. Click Alerts.
    The Alert view is displayed.
  3. In the Alert toolbar, click Template.
    The Template view tab is displayed with a list of templates.

List of Available Variables

Below are the list of variables available on the Reporting Engine notification for Reporting Engine alerts.

Name: ${name}
Severity: ${severity}
alert count: ${count}
Start_session_id = ${sid1}
end_session_id = ${sid2}
data source id = ${device.id}
netwitness host = ${nw.host}

See below example for how to use metadata information on the notification template.

To use ip.src and ip.dst meta, use the format ${meta.<meta-name>}.

ip.src meta = ${meta.ip.src}
ip.dst meta = ${meta.ip.dst}