Alerting: Choose How to be Notified of Alerts

Document created by RSA Information Design and Development on Sep 12, 2017Last modified by RSA Information Design and Development on Apr 11, 2019
Version 8Show Document
  • View in full screen mode
 

This topic explains the different notification methods and how to add a notification method to a rule. Administrator, SOC Manager or DPO role permissions are required for all tasks in this section.

When a rule triggers an alert, ESA can send a notification in the following ways:

  • Email
  • Syslog
  • Script

To configure a notification, you configure these components: 

  • Notification Server: The notification server is the source of the notifications. After you configure a notification server, you can add it to a rule. When the rule triggers an alert, the rule will use that server to send alert notifications.
  • Notifications: These are the outputs (destinations) of the notifications, which can be email, script, and Syslog. When you design a rule, you can specify the notification for an alert.
  • Templates: The message format of an alert notification is defined in a template.

If you use an ESA rule that has an enrichment, such as a Context Hub list, you must create a custom template. You can duplicate a default template and adjust it for your enrichment. For more information, see Troubleshoot ESA Rules. For information on creating a custom template, see see "Configure Meta Keys as Arrays in ESA Correlation Rules" in the System Configuration Guide.

Go to the Master Table of Contents to find all NetWitness Platform Logs & Network 11.x documents.

Note: ESA SNMP notifications are not supported for NetWitness Platform 11.3 and later.

Alert suppression and alert rate regulation are two features that Event Stream Analysis provides. Alert suppression ensures that multiple emails are not sent out for the same alert. For example, consider a rule to detect failed user logins. If you set the alert suppression to three minutes, you will see only the alerts generated in that time frame. This is fewer than the number of alerts you would see without alert suppression. Some alerts can be duplicates. With alert suppression, emails are not sent for duplicate alerts. This ensures the inbox is not flooded with redundant alert notifications.

Alert rate regulation is a preventive measure to ensure that alerts from misconstrued rules do not flood the system. This ensures that ESA does not send more than the configured limit of emails within one minute.

Notification servers, notifications, and templates are configured in the Administration System view. For more information, see "Configure Notification Servers", "Configure Notification Outputs", and "Configure Templates for Notifications" in the System Configuration Guide.

Previous Topic:Import or Export Rules
You are here
Table of Contents > Choose How to Be Notified of Alerts

Attachments

    Outcomes