Notification profiles

The Admin > Alarm Monitor > Notification Profiles page can be used to add, edit, and manage notification profiles, which can be used to add custom notifications to alarm policies.

Once created, a notification profile can be assigned to one or more alarm policies from the Admin > Alarm Monitor > Alarm Policies page. All notification actions defined in the profile will automatically be triggered whenever the policy is violated.

Note

Notification actions are only triggered if the alarm policy it’s assigned to is set to Active or Store. The FA algorithm associated with the policy must also be enabled.

Creating a notification profile

To create a new notification profile, click the + button, enter a name (can be changed later) for it in the provided field, and click the Save button.

Hint

The notification profile management page can also be accessed directly from the tray when configuring notifications for an alarm policy.

Once saved, the profile will be added to the main view list and can be further configured.

Adding notification actions to a profile

To add notification actions to an existing profile, follow these steps:

  1. Click the name of a notification profile to open the configuration tray.

  2. Expand the Actions section of the tray and click the + button.

  3. Use the dropdown to select the type of action to add.

  4. Enter the additional details (based on the action type) in the provided fields.

    Hint

    Use the listed variables to include additional details in notification messages or as arguments in custom scripts.

  5. Use the Test button to verify that the action functions as intended.

  6. Click the Add button to save the action to the notification profile.

To define additional actions in the same profile, repeat the steps as needed. Each notification profile can be configured with any number of actions in any combination.

Hint

To add notifications for custom report thresholds, set up a notification profile and assign it to the Report Threshold Violation alarm policy via the Admin > Alarm Monitor > Alarm Policies page.

Bulk actions

When one or more profiles are selected using the checkboxes in the main view, an action can be added to all selected profiles via the Bulk Actions button.

Notification profiles can also be deleted this way.

Notification actions

Each notification profile can be configured with any number of notification actions, all of which will be triggered when the associated alarm policy is violated.

Click on a notification action type below for additional details and configuration steps:

Email

Email event details to one or more specified users

Logfile

Output event details to a logfile

Syslog

Forward event details to a specified host via syslog

SNMP Trap

Create an SNMP trap to report event details to a specified host

Script

Run any custom script and optionally use variables to pass event details as arguments

Auto Acknowledge

Automatically acknowledge alarms/events under any specified policy (overrides data history setting)

ServiceNow - Ticket

Create a ServiceNow ticket (with an optional API JSON script) for a configured ServiceNow instance

CEF

Use a CEF notification to send event details to a specified host

Hint

Notification profiles can include multiple configurations of the same notification action type.

Variables in notifications

When defining a notification action, the message sent can be customized to include additional event details passed through variables.

Note

The default %m variable used in notification messages will pass the event message generated by the alarm policy triggering the notification. Message formats by policy can be viewed via the policy management page.

The following table lists the variables available for use in notification messages or custom scripts:

%m

Event message generated by the alarm policy triggering the notification

%pol

Alarm policy violated to trigger the notification

%v

IP address(es) of violating host(s) reported in the event

%url

URL to the relevant saved report (only available for the Report Threshold Violation alarm policy)

%h

IP address of the host (i.e., Plixer Scrutinizer server/reporter) sending the notification

%v_resolved

Resolved hostnames of violator addresses

%id

The log identifier for the event that triggered the notification

%h_resolved

Resolved hostname of the address sending the notification

%violator_users

Username(s) associated with violating host(s)

%time

Timestamp of the event/violation that triggered the notification

%p

Protocol used in the violation, if applicable

%t

IP addresses of the host(s) targeted in the violation, if applicable

%tactic_id

MITRE ATT&CK framework ID of the tactic under which the violation is classified *

%tactic_name

MITRE ATT&CK tactic under which the violation is classified *

%target_users

Username(s) associated with targeted host(s)

%technique_id

MITRE ATT&CK framework ID of the technique associated with the violation *

%technique_name

MITRE ATT&CK technique associated with the violation *

%category

Alarm policy category of the violated policy

© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.