Add Notification Method to a Rule

This topic tells administrators how to add a notification, such as email, to a rule. ESA uses the notification method when it generates an alert for an event that meets rule criteria.

You add a notification to a rule so ESA can let you know when a rule triggers an alert. Although the notification fields are not required, it is a best practice to add a notification to a rule.

When you add a notification method to a rule, you select the following information:

  • Output
  • Notification
  • Notification Server
  • Template


  • Your role must have permission to manage rules.
  • The rule must exist.
  • The notification method must be configured with a supported server and template:

    Go to netwitness_adminicon_25x22.png (Admin) > System > Global Notifications.

    For detailed procedures, see the System Configuration Guide.

Add a Notification Method to a Rule

  1. Go to netwitness_configureicon_24x21.png (Configure) > ESA Rules > Rules tab.
  2. In the Rule Library, click Add List icon to add a new rule or select an existing rule and click Edit icon.
    Depending on the rule type, the Rule Builder or Advanced EPL tab is displayed.
    The Notifications section is the same for both tabs.
    Blank Notification section
  3. Click Add List icon and select the Output for the alert:
  • Email
  • SNMP (This option is not supported in NetWitness Platform 11.3 and later.)
  • Syslog
  • Script
  1. Double-click the Notification field and select the name of a previously configured output.
    For example, Level 1 Analyst could be the name of an email notification that goes to the L1-Analysts email distribution group.
  2. Double-click the Notification Server field and select the server that sends the notification.
  3. Double-click the Template field and select a format for the alert.
    The following figure shows the settings for a Syslog notification.
    Notification added
  4. If you want to specify frequency, select Output Suppression, then enter the number of minutes.
  5. If you want to add another notification, repeat steps 3-7.
  6. Click Save.
    When ESA generates an alert for an event that matches the rule criteria, you will be notified of the alert via each notification method added to the rule.