Customize the Subject line in an SMTP Output Action or Template

Discussion created by RSA Admin

on Sep 16, 2008
Latest reply on Nov 3, 2011 by RSA Admin

Like • Show 0 Likes0
Comment • 12

enVision 3.5.2

Is there any way to customize the subject line in an SMTP output action or template? Instead of using one of the three pre-canned options of Short, Medium, or Long, none of which allow you to modify their content.

Ideally I'd like to set up smtp output actions and/or templates just like we do reports where I can declare SQL clauses and specify variables to construct a dynamic subject line so the people receiving the email alerts have something more relevant.

Say you have a corelation rule fire when XYZ happens on a firewall or IDS. I'd like to be able to specify the SMTP subject line to say "XYZ on %DeviceHostName%". Or in certain circumstances where your paging out to someone who's oncall that there is an increased trend in something happening, like "Virus Threshold Exceeded, %VirusCount% detections of %virusname% in last hour."

That would be way more helpful than a subject line of: ViewName, AertCategoryName, etc, etc, etc.

Anyone had any luck with this? Any ideas?

Outcomes

12 Replies

RSA Admin Sep 17, 2008 5:18 PM
We're using a custom output action template for SNPP paging, and we are only getting the fields that we need in the page. All we did was create the new output action template, select the long subject type, and then select only the fields that we wanted. That may have only worked for us, though, because subject info is ignored -- I assume that you've already tried creating a new template with limited selections?

The other thing you could try is to edit the outputformat.xml file to move the fields that you view as important to the top of the file. When you do this, the fields show up in a different order on the template creation page. I'm not sure how the subject type determines which fields it needs -- if it is by order or name in this file, you can use that to your advantage! I believe that the outputformat.xml file is only used at the time of the template creation, too, so you can revert back to the original after you've created the template you want.

Again, this is just theory at this point, but may be worth a try while you are waiting for support...
Like • Show 0 Likes0
Actions
- RSA Admin @ RSA Admin on Sep 18, 2008 1:03 PM
  Hi Jeff. Yes, you're correct, we did try creating a new template with limited selections, and ignore fields with null data, etc, and that works great within the message body, but I think the difference is that we're sending out ours via SMTP and not SNPP. When it goes out SMTP the subject line does get included, and that's really what I'm wanting to control / customize.
  
  I'm already getting beat up by customers asking me to customize it to be more relevant, and I cant. It's hard coded within the envision application somewhere, as far as I can tell.
  
  Good tip on customizing the outputformat.xml, I can see where that might come in handy in the future.
  
  Ryan
  Like • Show 0 Likes0
  Actions
  - RSA Admin @ RSA Admin on Mar 12, 2009 8:02 AM
    Hi Ryan
    
    Did you have any luck with this? We too are getting the same response from our customer - the subject line is not very informative.
    Like • Show 0 Likes0
    Actions
    - RSA Admin @ RSA Admin on Mar 12, 2009 11:25 AM
      Nope no luck at all.
      
      It might have gone into the black hole of user suggestions.   I have a hard time believing that no one has asked for this in the past, and I'd be keenly interested in finding out if RSA eVision team has ever done any deep-dive surveys into the usage of enVision feature sets, specifically down to details like this to see what is / is not getting used and why.   The only way to get that type of feedback is to bypass all the CSO/CISO/Management levels (no offense if you are one) and elicit this feedback from the admins and users in the trench.
      
      Either you (or your client in this case) and I are the only ones using smtp as an alert output option operationally across their security teams ( highly doubtful)... or those who are, have learned to live with the horrific subject line (seemingly doubtful, but probably more prevalent that others are willing to admit). That only leaves the non-use customers.  which begs ... why are they are non-use customers for this feature? The ablity to smtp out from enVision is extremely powerful imho and has many use cases. We use the heck out of it. I hope they seriously consider adding this functionality.   I suspect it would add immediate value for others as well.
      
      Good luck.
      
      ryan
      Like • Show 0 Likes0
      Actions
- RSA Admin @ RSA Admin on Jan 15, 2010 10:33 AM
  It appears to me that a reply to this thread is missing ( between Ryan's 03-12-2009 10:25 AM message and his 03-25-2009 08:58 AM message )? What "news" were Ryan and ariley referring to in the most recent messages?
  
  I manage an LS system running version 4, service pack 1 and I don't see a way to customize the subject field, although Ryan's 03-25-2009 08:58 AM message seems to imply that this feature will be added to some version released after 3.5. Does version 4 have this feature? If not, will some future version have this feature? I will fill out an official request for this feature, however I have little confidence that much credence is given to these requests.
  Message Edited by mroberson on01-15-201009:33 AM
  Like • Show 0 Likes0
  Actions
  - RSA Admin @ RSA Admin on Feb 9, 2010 3:25 PM
    Unfortunately the product does not have this feature yet. At least, I'm running enVision 4.0 SP2 and it's still the exact same state as it was in prior versions. Honestly, I think they might have had it on the radar at one point, which is why they made a comment about it, and for whatever unknown reason that thread has been removed. If memory serves me correctly, someone from RSA had responded to me indicating that i should look for this feature in an upcoming release. I suspect it didn't make the cut... well, I know it didn't, cause it's not in 4.0 SP2 (current release as of this writing), but I don't know why they would have pulled it from the thread.
    
    It's a slippery slope making reference to upcoming releases... they're damned if they do, damned if they don't.
    
    I know they'll get to it eventually. If you really need it now, I'd suggest making yourself a squeaky wheel, and voicing it up thorough your account manager and the feature request page.
    
    As an update, I've pretty much given up on emailing from enVision for most all things, and have resorted to a custom .cmd script that sits on the DSRV, driven by a scheduled task(s), that runs lsdata to extract what I want, then calls smtpsend.exe (you could also use blat.exe or any other cmd line smtp client) to send it to the recipient(s). It's much more reliable and stable, and with any script I call whatever variables I want to build the subject line, msg body, etc. I also set it up to only send an email if there are results to be sent. (something you think would be easy to build into enVision, but isn't there today) Not trying to sound crass, but I could really wait on product dev. Gotta do what you gotta do.
    
    cheers,
    ryan
    Like • Show 0 Likes0
    Actions
    - RSA Admin @ RSA Admin on Sep 3, 2010 5:50 PM
      Good info Ryan and thanks for sharing your experience, as someone pretty new to Envision it's good to know. Went ahead and added another request on this and will follow up with regional contact.
      
      ENV-32168 Enhancement Request: Changing Subject Line In Email Output Action
      
      Thanks,
      Ryan H
      Like • Show 0 Likes0
      Actions
      - RSA Admin @ RSA Admin on Aug 28, 2011 3:08 AM
        Hi All,
        Now its V4 SP4 it seems to me that no new update about that feature. Does any one know when it will be released?
        Like • Show 0 Likes0
        Actions
        scarielli @ RSA Admin on Aug 29, 2011 7:41 AM
        This is planned for 4.2.
        Like • Show 0 Likes0
        Actions
        RSA Admin @ scarielli on Nov 3, 2011 7:46 AM
        When is version 4.2 going to be released?
        Like • Show 0 Likes0
        Actions
RSA Admin Mar 1, 2010 6:44 PM
I know this is an Old post, but
I would like this capability too.

We are just getting into the requirements to alert on AD changes, It works, however we would like to customize the Subject line with the UserID and action at a minimum.

I am surprized that RSA enVision v4.0 SP 2 Build: 0288 still doesn't have this rudimentary configuration

Tim
Like • Show 0 Likes0
Actions
- madansudhindra @ RSA Admin on Apr 27, 2010 2:50 PM
  4.0 SP3 and still no customizable subject line for SMTP type alerts.
  Like • Show 0 Likes0
  Actions

Customize the Subject line in an SMTP Output Action or Template

Outcomes

Related Content

Recommended Content