Notification profiles¶
The Admin > Alarm Monitor > Notification Profiles page can be used to add, edit, and manage notification profiles, which can be used to add custom notifications to alarm policies.
Once created, a notification profile can be assigned to one or more alarm policies from the Admin > Alarm Monitor > Alarm Policies page. All notification actions defined in the profile will automatically be triggered whenever the policy is violated.
Note
Notification actions are only triggered if the alarm policy it’s assigned to is set to Active or Store. The FA algorithm associated with the policy must also be enabled.
Creating a notification profile¶
To create a new notification profile, click the + button, enter a name (can be changed later) for it in the provided field, and click the Save button.
Hint
The notification profile management page can also be accessed directly from the tray when configuring notifications for an alarm policy.
Once saved, the profile will be added to the main view list and can be further configured.
Adding notification actions to a profile
To add notification actions to an existing profile, follow these steps:
Click the name of a notification profile to open the configuration tray.
Expand the Actions section of the tray and click the + button.
Use the dropdown to select the type of action to add.
Enter the additional details (based on the action type) in the provided fields.
Hint
Use the listed variables to include additional details in notification messages or as arguments in custom scripts.
Use the Test button to verify that the action functions as intended.
Click the Add button to save the action to the notification profile.
To define additional actions in the same profile, repeat the steps as needed. Each notification profile can be configured with any number of actions in any combination.
Hint
To add notifications for custom report thresholds, set up a notification profile and assign it to the Report Threshold Violation alarm policy via the Admin > Alarm Monitor > Alarm Policies page.
Bulk actions
When one or more profiles are selected using the checkboxes in the main view, an action can be added to all selected profiles via the Bulk Actions button.
Notification profiles can also be deleted this way.
Notification actions¶
Each notification profile can be configured with any number of notification actions, all of which will be triggered when the associated alarm policy is violated.
Click on a notification action type below for additional details and configuration steps:
Email event details to one or more specified users |
|
Output event details to a logfile |
|
Forward event details to a specified host via syslog |
|
Create an SNMP trap to report event details to a specified host |
|
Run any custom script and optionally use variables to pass event details as arguments |
|
Automatically acknowledge alarms/events under any specified policy (overrides data history setting) |
|
Create a ServiceNow ticket (with an optional API JSON script) for a configured ServiceNow instance |
|
Use a CEF notification to send event details to a specified host |
Hint
Notification profiles can include multiple configurations of the same notification action type.
Variables in notifications¶
When defining a notification action, the message sent can be customized to include additional event details passed through variables.
Note
The default %m
variable used in notification messages will pass the event message generated by the alarm policy triggering the notification. Message formats by policy can be viewed via the policy management page.
The following table lists the variables available for use in notification messages or custom scripts:
|
Event message generated by the alarm policy triggering the notification |
|
Alarm policy violated to trigger the notification |
|
IP address(es) of violating host(s) reported in the event |
|
URL to the relevant saved report (only available for the Report Threshold Violation alarm policy) |
|
IP address of the host (i.e., Plixer Scrutinizer server/reporter) sending the notification |
|
Resolved hostnames of violator addresses |
|
The log identifier for the event that triggered the notification |
|
Resolved hostname of the address sending the notification |
|
Username(s) associated with violating host(s) |
|
Timestamp of the event/violation that triggered the notification |
|
Protocol used in the violation, if applicable |
|
IP addresses of the host(s) targeted in the violation, if applicable |
|
MITRE ATT&CK framework ID of the tactic under which the violation is classified * |
|
MITRE ATT&CK tactic under which the violation is classified * |
|
Username(s) associated with targeted host(s) |
|
MITRE ATT&CK framework ID of the technique associated with the violation * |
|
MITRE ATT&CK technique associated with the violation * |
|
Alarm policy category of the violated policy |
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.