Highlighted
Absent Member.
Absent Member.
3003 views

Change content of notification email

Jump to solution

Hi guys,

Is there a way to change the content or add content to an email notification?

I usually configure email notifications to contain important info in the subject line but I have a rule with a lot of important info in the base event that I can't squeeze into the subject line.

Normally the content in the notification email is similar to the below.

notification.jpg

Appreciate any help.

Labels (1)
0 Likes
18 Replies
Highlighted
Absent Member.
Absent Member.

Thanks Morten, makes sense, I will try this and let you know.

Excellent if it works.

0 Likes
Highlighted
Absent Member.
Absent Member.

Yes, this worked Morten, but I did not get new lines for each time I pressed enter in the notification field.

Do you know how I can force it to make a new line <br> etc?

thanks

0 Likes
Highlighted
Absent Member.
Absent Member.

No, sorry.

0 Likes
Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..

First thing -the default send out is the  informative.vm file = way to much information.

So what you need to do is trigger your Different notifications by the "NAME" of what triggers it - this is always contained in the snap Informative.vm set and will not require extra CPU cycles to gather on the ESM. This will also not require major manual tooling of your Rule set to start implementing these changes.

So we take our initial EMAIL.VM and we edit it to include the things we need to see or interesting things we need to see or e-mail out

------- Always leave the informatative.VM at the bottom - do not comment this out.

---------------------------- EXAMPLE FOLLOWS ---------------------

## This is a velocity macro file...
## The following fields are defined in the velocity macro.
## event == the event which needs to be sent.
## WEBROOT == root of the myarcsight
## EVENT_URL == root of the event alert.
## NOTIFICATION_URL = root of the notification.
##
## Generic instructions
##
##
## Details specific to the rule that fired
##
##
##
##
Notification ID: ${NOTIFICATION_ID}

Escalation Level: ${ESCALATION_LEVEL}

#if($introspector.getDisplayValue($event, "name") == "New Device Found")
#parse ("New_Device.vm")
##
#elseif($introspector.getDisplayValue($event, "name") == "New Server Detected")
#parse ("New_Device.vm")
##
#elseif($introspector.getDisplayValue($event, "name") == "Account Locked Out")
#parse ("User_Inspect.vm")
##
#elseif($introspector.getDisplayValue($event, "name") == "Authentication Attempted to Non-Existing Account")
#parse ("User_Inspect.vm")
##
#elseif($introspector.getDisplayValue($event, "name") == "Account Locked Out Multiple Times in 24 Hours")
#parse ("User_Inspect.vm")
##
#elseif($introspector.getDisplayValue($event, "name") == "Privileged Account Locked Out")
#parse ("User_Inspect.vm")
##
#elseif($introspector.getDisplayValue($event, "name") == "Account currently disabled.")
#parse ("User_Inspect.vm")
##
#elseif($introspector.getDisplayValue($event, "name") == "Failed Authentication - Windows Workstation")
#parse ("User_Inspect.vm")
##
#elseif($introspector.getDisplayValue($event, "name") == "Authentication Attempted to Disabled Account")
#parse ("User_Inspect.vm")
##
#elseif($introspector.getDisplayValue($event, "name") == "Failed Authentication - Windows Domain Account")
#parse ("User_Inspect.vm")
##
#else
#parse ("Informative.vm")
Acknowledge this message in one of these ways:

#if(${INCOMING_MAIL_SERVER_CONFIGURED})

* Reply to this e-mail. Include this message's notification ID in your reply.

#end

* Log in to the ArcSight Console and click the Notification button on the tool bar.

* Log in to ArcSight Web at ${NOTIFICATION_URL} and view the Notifications display.

To view the full alert, please go to ${EVENT_URL}.

#end

--------------------------------------------------------------------------------------------

WE than create Custom templates off of the base Informative.VM  ----- set that is unique to the event we want to see

This way you do not send cycles looking for Device Vendor, Product Name  etc. You simply grab what is there out of over 500 unique notifications I have seen 2 that needed a field outside of what is in the informative.vm

We use as much of the informative set as possible to avoid stealing CPU cycles from other processes - because informative.vm is tied into base event processing and filtering

SAMPLE "CUSTOM" E-MAIL template follows  --------------

## This is a velocity macro file...

## The following fields are defined in the velocity macro.

## event == the event which needs to be sent.

## WEBROOT == root of the myarcsight

## EVENT_URL == root of the event alert.

## NOTIFICATION_URL = root of the notification.

$introspector.getDisplayValue($event,"name")

Priority: $introspector.getDisplayValue($event,"priority")
-------------------------------------------------------------------------

End Time:  $introspector.getDisplayValue($event,"endTime")

Attacker User Name:    $introspector.getDisplayValue($event,"attackerUserName")

Attacker Address:      $introspector.getDisplayValue($event,"attackerAddress")

Attacker Host Name:    $introspector.getDisplayValue($event,"attackerHostName")

Target User Name:      $introspector.getDisplayValue($event,"targetUserName")

Target Host Name:      $introspector.getDisplayValue($event,"targetHostName")

Target Address:        $introspector.getDisplayValue($event,"targetAddress")

Target NT Domain:      $introspector.getDisplayValue($event,"targetNtDomain")

To view the full alert please go to
at ${EVENT_URL}

This will produces a very small notification email with enough information to start diagnosing the issues with the account, device's or service

0 Likes
Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..

Keep in mind most changes to these Notifications or the Rules attached to them will require at minimum a restart of the Manager services on some systems it will require a reboot of the system

0 Likes
Highlighted
New Member.

Is no need for service restart or system reboot when do changes on these .vm files. For me always works without service restart or system reboot.

0 Likes
Highlighted
Outstanding Contributor.. Outstanding Contributor..
Outstanding Contributor..

All of that information depends on your version or ESM or Express – 3.0 and 4.0 Express I have had times where the changes did not catch until after a restart of services – altering your rules is a restart also.

My new 6.9.1c ESM does not even flinch when I change things.

If you have any questions or concerns please contact me directly,

Thank you

Christopher Lee Kaija, CISSP

Information Security Analyst

Lake Health

Information Technologies

7576 Auburn Road

Concord, Ohio 44077

Phone: (440) 354-1923

Cell Phone: (440) 339-4482

Fax: (440) 354-1099

IT Help Desk: (440) 354-1205

Compliance Hotline: (440) 354-1121

NOTE: This E-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information as defined by State and Federal privacy laws. Any unauthorized review, use, disclosure or distribution is prohibited. If you receive this E-mail in error, be aware that any unauthorized use, disclosure, copying, or distribution is strictly prohibited. Please contact the sender immediately and destroy all copies of this message.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.