Notification Management
Last updated
Last updated
Notifications can be set manually or users can use the wizard to configure it.
The portal has a wizard that guides the users on how to configure important settings in the organization. For access to the wizard please click this icon on the top right side of the web page:
After clicking the wizard icon, the portal will redirect the users to the configuration steps. For notifications, please click the 3rd step and do the steps that are shown in the wizard.
To get notifications for notable events please go to the Rules & Policies -> Query Based Classifications. Please select the "Notable Events" on the artifact type sections search bar and make sure they are all enabled. If they are not enabled, click on the "..." button top left of the table.
After enabling the rules, please go to Settings & Reporting -> Notification Settings -> Notification Parameters. Create a new setting like below:
Go to "Settings & Reporting" -> "Notification Settings" -> "Notification Templates" and clone the existing templates by clicking the "..." button on the right side of the grid. The templates are categorized with tags, each tag refers to an analysis.
After finishing the editing, save the template and click on the "..." button again. Select "Assign to Notify Rule(s)". Select the rules and click the "Next" button at the top right. By default, we suggest "Threat Analytics: Windows Object and Honeypot Access Events", "Threat Analytics: Windows File Activity Analysis", "Threat Analytics: Windows Sysmon Threat Analysis", and "Windows: Windows Sysmon Analysis" rules, but users can add more or less. The demonstration is below:
Select the notification parameter that was just created and recheck the settings. If everything is okay, click on the "Assign" button. From now on, the portal will notify you if some notable event is captured.
To assign and create notifications for Critical and High-Risk events. Please navigate to "Notification Settings Templates" from Settings & Reporting. Choose "Notable Event Notification Template" and click "..." to select "Assign to Notify Rules(s) action. Once selected apply the filter "All: Notable Event" and select the rules to send the notifications. Initially selecting the "Critical Risk Notable Events" and "Malicious Events" is recommended. Follow these steps to configure notifications manually:
By default, Twilio SendGrid is used to send the e-mails. A custom e-mail server can be configured from "Settings & Reporting" -> "Organization Settings" -> "Mail Server".
The second step is to configure the notification parameters. The parameters can be configured for each notification type. The notification parameters are configured through "Settings & Reporting" -> "Notification Settings" -> "Notification Parameters".
Once the notification parameters are configured, "Notification Setting Templates" define the notification messages. The templates are assigned to "Classification Rules" with the type "Notify". To customize a template, please click the "…" button, select the clone, and then edit the cloned template. Through the "…" button, the template is assigned to the classification rules where an alert is to be generated.
Through classification rules, the notification messages can be customized further under the "Rules & Policies" -> "Artifact Classification" -> "Query Based Classification". Classification rules with the type "Notify on Match" is used to execute notifications.
