One of the more common requests and "how do I" questions I've heard in recent months centers around the Emails that the Respond Module can send when an Incident is created or updated. Enabling this configuration is simple (https://community.rsa.com/docs/DOC-86405), but unfortunately changing the templates that Respond uses when it sends one of these emails has not been an option.
Or rather...has not been an accessible option. I aim to fix that with this blog post.
Before getting into the weeds, I should note that this guide does not cover how to include *any* alert data within incident notification emails. The fields I have found in my tests that can be included are limited to these using JSON dot notation (e.g. "incident.id", "incident.title", "incident.summary", etc.):
Now, this does not necessarily mean it isn't possible to include other data, just that I have not figured out how...yet.
The first thing we need to do is create a new Notification Template for Respond to use. We do this within the UI at Admin / System / Global Notifications --> Templates tab. I recommend using either of the existing Respond Notification templates as a base, and then modifying either/both of those as necessary. (I have attached these OOTB notification templates to this blog.)
For this guide, I'll use the "incident-created" template as my base, and copy that into a new Notification Template in the UI. I give my template an easy-to-remember name, choose any of the default Template Types from the dropdown - it does not matter which I choose, as it won't have any bearing on the process, but it's a required field and I won't be able to save the template without selecting one - and write in a description:
Then I copy the contents of the "incident-created" template into the Template field. The first ~60% of this template is just formatting and comments, so I scroll past all that until I find the start of the HTML <body> tag. This is where I'll be making my changes
One of the more useful changes that comes to mind here is to include a hyperlink in the email that will allow me to pivot directly from the email to the Incident in NetWitness. I can also change any of the static text to whatever fits my needs. Once I'm done making my changes, I save the template.
After this, I'm done in the UI (unless I decide to make additional changes to my template), and open a SSH session to the NetWitness Admin Server. To make this next part as simple and straightforward as I can, I've written a script that will prompt me for the name of the Template I just created, use that to make a new Respond Notification template, and then prompt me one more time to choose which Respond Notification event (Created or Updated) I want to apply it to. (The script is attached to this blog.)
A couple notes on running the script:
- Must be run from the Admin Server
- Must be run as a superuser
Running the script:
...after a wall of text because my template is fairly long...I get a prompt to choose Created or Updated:
And that's it! Now, when a new incident gets created (either manually or automatically) Respond sends me an email using my custom Notification Template:
And if I want to update or fix or modify it in any way, I simply make my changes to the template within the UI and then run this script again.