Alerting: Add Notification Method to a Rule

Document created by RSA Information Design and Development on Nov 23, 2016Last modified by RSA Information Design and Development on Apr 26, 2017
Version 3Show Document
  • View in full screen mode
  

This topic tells administrators how to add a notification, such as email, to a rule. ESA uses the notification method when it generates an alert for an event that meets rule criteria.

You add a notification to a rule so ESA can let you know when a rule triggers an alert. Although the notification fields are not required, it is a best practice to add a notification to a rule.

When you add a notification method to a rule, you select the following information:

  • Output
  • Notification
  • Notification Server
  • Template

Prerequisites

  • Your role must have permission to manage rules.
  • The rule must exist.
  • The notification method must be configured with a supported server and template:
    • Click Administration > System > Global Notifications.
    • For detailed procedures, see the System Configuration Guide.

Procedure

To add a notification method to a rule:

  1. In the Security Analytics menu, select Alerts > Configure > Rules.
  2. In the Rule Library, click addList.PNG to add a new rule or select an existing rule and click ic-edit.png.
    Depending on the rule type, the Rule Builder or Advanced EPL tab is displayed.
    The Notifications section is the same for both tabs.
    NotificationBlank.png
  3. Click addList.PNG and select the Output for the alert:
  • Email
  • SNMP
  • Syslog
  • Script
  1. Double-click the Notification field and select the name of a previously configured output. 
    For example, Level 1 Analyst could be the name of an email notification that goes to the L1-Analysts email distribution group.
  2. Double-click the Notification Server field and select the server that sends the notification. 
  3. Double-click the Template field and select a format for the alert.
    The following figure shows the settings for a Syslog notification.
    NotificationAdded.png
  4. If you want to specify frequency, select Output Suppression, then enter the number of minutes.
  5. If you want to add another notification, repeat steps 3-7.
  6. Click Save.
    When ESA generates an alert for an event that matches the rule criteria, you will be notified of the alert via each notification method added to the rule.
Previous Topic:Notification Methods
You are here
Table of Contents > Choose How to Be Notified of Alerts > Add Notification Method to a Rule

Attachments

    Outcomes