Previous Topic: How to Design and Apply Incident NotificationsNext Topic: Incident Management Tasks

Administration GuideEvent Correlation and Incident ManagementCorrelation Rule TasksHow to Design and Apply Incident NotificationsSet Notification Defaults

Set Notification Defaults

You can set notification details in a rule, which specify notification content but not destinations. For example, you can set email subject line and content text, but not the delivery addresses, which are controlled by notification destinations. This system allows you to set up standard content (using details), which can be delivered to various recipients (using destinations).

You can include any combination of the available notification types in a single rule's notification details.

To set notification details

  1. Open the correlation rule wizard, enter the required rule definitions, and advance to the Notification Details step.
  2. Select the email tab and use the following steps to add email notification information:
    1. Enter a subject line for the notification email.
    2. (Optional) When entering text in either field of the email tab, you can use the Data Fields drop down list and the Add button to insert data field variables. For example you could choose agent_address and click Add.

      "%agent_address%" appears in the text field. When a rule generates an email, the value of the agent_address field is displayed in place of the variable.

    3. Enter message body for the notification email.

      Note: The message body is constructed in HTML, so all text you enter appears on one line. To create a break after a line, enter <BR/> at the end of the line of text.

  3. Select the Process tab and use the following steps to add CA IT PAM process parameters:
    1. Enter the name of an IT PAM process to which you want to pass incident information, such as: 
      /CA_ELM/EventAlertOutput
    2. Click Add Parameter to specify a parameter and its value.

      The Add Process Parameter dialog appears.

    3. Type a parameter name in the Name field, 'Severity' for example.
    4. Define a value by typing in the value area, or selecting a CEG field from the drop-down list and clicking Add data field. Event information from the CEG field you specify is passed to the named parameter. Continuing the example from the previous step, you could select 'event_severity' to present the value of the event_severity field as the IT PAM Severity parameter.
    5. Repeat Steps a-c to add additional parameters and values as needed.
    6. When you have added all the CEG fields you want for the current parameter, Click OK.

      Note: You can type, and add multiple CEG fields as needed to define a parameter. For example, if you want to define the Description parameter for a notification used with an account guessing rule, you could enter:

      This incident reports four failed logins by by %dest_identity_unique_name% on %dest_hostname% occurred within 10 minutes.

      The %value% structure is the result of selecting a CEG field and using the Add data field button as described in step b.

  4. Select the SNMP tab and use the following steps to add SNMP trap settings:
    1. Adjust the Custom Trap ID as required by your SNMP transmission target.
    2. Enter the name of a CEG field that you want to send in the entry area. Typing in the field narrows available choices in the drop-down list as you type.
    3. Click Add.
    4. The CEG field name appears in the selected fields area. Any event information in that field is sent for rules using this notification template. You must specify at least one CEG field.
    5. Repeat steps b-c to send additional CEG fields.
  5. Click the appropriate arrow to advance to the wizard step you want to complete next, or click Save and Close.

    If you click Save and Close, the new rule appears in the appropriate folder, otherwise the step you choose appears.

More information:

About Correlation Rules

About Incident Notifications

How to Create a Notification Destination