Highlighted
Absent Member.
Absent Member.
3002 views

Change content of notification email

Jump to solution

Hi guys,

Is there a way to change the content or add content to an email notification?

I usually configure email notifications to contain important info in the subject line but I have a rule with a lot of important info in the base event that I can't squeeze into the subject line.

Normally the content in the notification email is similar to the below.

notification.jpg

Appreciate any help.

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

You can do this by modifying the velocity templates used for email notifications on the ESM server. See appendix D ->

View solution in original post

0 Likes
18 Replies
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

You can do this by modifying the velocity templates used for email notifications on the ESM server. See appendix D ->

View solution in original post

0 Likes
Highlighted
Absent Member.
Absent Member.

Thanks Richard!

I have started to try these, I think they will work well.

I might have to surf some discussion threads to see if they are talked about. I followed the steps in the Appendix D which makes sense, but I think the way my Email.mv is calling my new template is not working.

From my #if statement, if I get a match on device product (Brightmail), I don't get a notification.

This is what I added

#if( $introspector.getDisplayValue($event,"deviceProduct") == "Brightmail")

#parse("Brightmail.vm")

#else

#parse ("Informative.vm")

#end

Thanks again.

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Looks correct, what does Brightmail.vm look like?

0 Likes
Highlighted
Absent Member.
Absent Member.

## CMS.vm is the custom velocity template for Fireeye alert notifications.
## To change the text sent, edit the text below.
## "Data Fields" found in Console online Help or Using the ArcSight Console.
=== Event Details ===
FireEye alert details

Threat Details
Event:         $introspector.getDisplayValue($event,"deviceCustomString1")

URL:           $introspector.getDisplayValue($event,"requestUrl")
or
Attachment:    $introspector.getDisplayValue($event,"filePath")

Sender Details
Sender:        $introspector.getDisplayValue($event,"attackerUserName")
Sender domain: $introspector.getDisplayValue($event,"attackerDnsName")

Recipient Details
Recipient:     $introspector.getDisplayValue($event,"targetUserName")

End of email notification.
--------------------------------

0 Likes
Highlighted
Absent Member.
Absent Member.

When I get a hit on the deviceProduct (Brightmail), I just don't get a notification at all......

0 Likes
Highlighted
Absent Member.
Absent Member.

and sorry my full Email.vm is actually the below. It's not just what I posted earlier.

I hope anything in it is not causing the 'no show' for the notification.

## Email.vm is a Velocity macro file that serves as a template for the text

## sent for e-mail notifications.

## To change the text sent, edit the text below.

## The following fields are defined by default.

## The notification URL is automatically established by the ArcSight Web server

## host.

## The event URL links to the relevant event as viewed in ArcSight Web.

Notification ID: ${NOTIFICATION_ID}

Escalation Level: ${ESCALATION_LEVEL}

#if( $introspector.getDisplayValue($event, "deviceProduct") == "Brightmail")

#parse("Brightmail.vm")

#else

#parse ("Informative.vm")

#end

Acknowledge this message in one of these ways:

#if(${INCOMING_MAIL_SERVER_CONFIGURED})

* Reply to this e-mail. Include this message's notification ID in your reply.

#end

* Log in to the ArcSight Console and click the Notification button on the tool bar.

* Log in to ArcSight Web at ${NOTIFICATION_URL} and view the
Notifications display.

To view the full alert, please go to ${EVENT_URL}.

0 Likes
Highlighted
Absent Member.
Absent Member.

another spam from me sorry. just more info.

Other notifications come through fine, but the Brightmail one's don't come at all......

0 Likes
Highlighted
Absent Member.
Absent Member.

For anyone following this thread, unlikely

I did resolve it.

Went back to basics on my 'Brightmail.vm' teamplate, literally just putting the word 'hello' in it.

Email.vm seemed ok with the file now, and called it. Notifications came through with 'hello'.

Then I just started building in the lines and testing each time.

$introspector.getDisplayValue($event,"requestUrl") etc....

unsure which one it didn't like, but it's happy now.

ciao

0 Likes
Highlighted
Absent Member.
Absent Member.

This is very easy to do directly in ArcSight. No need to go to Velocity...

In the notification message body, you can write this: User: [$targetUser]

For this to work, you of cause need to aggregate the fields you want present in the notification.

0 Likes
Highlighted
Absent Member.
Absent Member.

Thanks Morten.

If what you have suggested populates the 'subject line' of the email, then yes, I do use this one also, but a few of my alerts I have too much info to display for a 'subject line'. I need to modify the body of the email, if that makes sense.

If what you suggest can populate the 'body' of the email, can you let me know how you get to that?

Scott

0 Likes
Highlighted
Absent Member.
Absent Member.

Hi Scott,

I just write what I want in the message field in the notification/action. The first line is the title of the e-mail. The subsequent lines becomes the 'body' of the email.

<Some Title>

User: [$deviceCustomString4] <-- example

I have not come accross any examples where I couldn't fit everything I needed this way. If you're doing it in a similar fashion, how many lines are you able to use?

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.