This topic tells administrators how to add a notification, such as email, to a rule. ESA uses the notification method when it generates an alert for an event that meets rule criteria.
You add a notification to a rule so ESA can let you know when a rule triggers an alert. Although the notification fields are not required, it is a best practice to add a notification to a rule.
When you add a notification method to a rule, you select the following information:
- Notification Server
- Your role must have permission to manage rules.
- The rule must exist.
- The notification method must be configured with a supported server and template:
- Click Administration > System > Global Notifications.
- For detailed procedures, see the System Configuration Guide.
To add a notification method to a rule:
- In the Security Analytics menu, select Alerts > Configure > Rules.
- In the Rule Library, click to add a new rule or select an existing rule and click .
Depending on the rule type, the Rule Builder or Advanced EPL tab is displayed.
The Notifications section is the same for both tabs.
- Click and select the Output for the alert:
- Double-click the Notification field and select the name of a previously configured output.
For example, Level 1 Analyst could be the name of an email notification that goes to the L1-Analysts email distribution group.
- Double-click the Notification Server field and select the server that sends the notification.
- Double-click the Template field and select a format for the alert.
The following figure shows the settings for a Syslog notification.
- If you want to specify frequency, select Output Suppression, then enter the number of minutes.
- If you want to add another notification, repeat steps 3-7.
- Click Save.
When ESA generates an alert for an event that matches the rule criteria, you will be notified of the alert via each notification method added to the rule.