• No results found

This technical note provides information on how to customize your notifications. This section includes the following topics:

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "This technical note provides information on how to customize your notifications. This section includes the following topics:"

Copied!
7
0
0

Loading.... (view fulltext now)

Download now ( 7 Page )

Full text

(1)

T

ECHNICAL

N

OTE

C

ONFIGURING

C

USTOM

E

MAIL

N

OTIFICATIONS

AUGUST 2012

When configuring rules in STRM, you can specify that each time the rule generates a response, an email notification is sent to recipients providing useful information, such as event or flow properties. These properties are specified in the alert-config.xml file, which is the default template. To meet the requirements of your organization, you can customize the content included in the email notification rule response.

This technical note provides information on how to customize your email notifications.

Unless otherwise noted, all references to STRM refer to STRM, STRM Log Manager, and STRM Network Anomaly Detection. References to flows do not apply to STRM Log Manager.

This section includes the following topics: • Customizing Email NotificationsExample Configuration FileUsing Custom ParametersAccepted Parameters

Customizing Email

Notifications

You must create a temporary directory in which you can safely edit your copy of the files, without risk of overwriting the default files. After you edit and save the alert-config.xml file, you must run a script that validates your changes. The validation script automatically applies your changes to a staging area, from where you can deploy the changes using the STRM user interface.

To customize email notifications:

Step 1 Using SSH, log into STRM as the root user. Username: root

Password: <password>

Step 2 To create a new temporary directory, type the following command: mkdir <directory_name>

(2)

2 TECHNICAL NOTE

Where <directory_name> is the name of the temporary directory you use to edit copies of the default files.

Step 3 To copy the files stored in the custom_alerts directory to the temporary directory, type the following command:

cp /store/configservices/staging/globalconfig/templates/ custom_alerts/*.* <directory_name>

Where <directory_name> is the name of the directory you created inStep 2.

Step 4 Confirm the files were copied successfully:

a To list the files in the directory, type the following command: ls -lah

b Verify the following files are listed: alert-config.xml

subject-default.vm body-default.vm

Step 5 Open the alert-config.xml file.

For an example of the alert-config.xml file, see Example Configuration File.

Step 6 Optional. If you want to create multiple templates, copy the <template></template> property, including tags and the contents, and then paste it below the existing <template></template> property.

NOTE

You can add multiple templates, however, STRM only supports one event and one flow template type to be set to True in the Active property.

Step 7 Edit the contents of the <template></template> property:

a Specify the template type using the following XML property: <templatetype></templatetype>

Where possible values include event or flow. This field is mandatory.

b Specify the template name using the following XML property: <templatename></templatename>

c Set Active property to true: <active>true</active>

d Edit the Subject property, if required.

e Add or remove parameters from the Body property. For more information on accepted parameters, see Accepted Parameters.

f Repeat these steps for each template you want to add.

Step 8 Save and close the file.

Step 9 To validate and deploy your changes, type the following command: /opt/qradar/bin/runCustAlertValidator.sh <directory_name>

(3)

Where <directory_name> is the name of the directory you created in the Customizing Email Notifications procedure.

If the script validates the changes successfully, the following message is displayed:

File alert-config.xml was deployed successfully to staging! File subject-customCalculate.vm was deployed successfully to staging!

File body-customCalculate.vm was deployed successfully to staging!

Step 10 Log in to the STRM user interface.

Step 11 Click the Admin tab.

Step 12 Select Advanced > Deploy Full Configuration.

Your custom email notifications are now complete. Rules that have an email notification set as the rule response will generate emails using the custom parameters you specified.

Example

Configuration File

Example of the alert-config.xml file:

<?xml version=”1.0” encoding=”UTF-8?> <templates> <template> <templatename>Default Event</templatename> <templatetype>event</templatetype> <active>true</active> <filename></filename> <subject> ${RuleName} Fired </subject> <body>

The following is an automated response sent to you by the ${AppName} event custom rules engine:

$[StartTime]

Rule Name: ${RuleName}

Rule Description: ${RuleDescription} Source IP: ${SourceIP}

Source Port: ${SourcePort} SourceUsername: ${UserName}

Source Network: ${SourceNetNoDefault} Destination IP: ${DestinationIP} Destination Port: ${DestinationPort}

Destination Username: ${DestinationUserName} Destination Network: ${DestinationNetNoDefault} Protocol: ${Protocol}

(4)

4 TECHNICAL NOTE

QID: ${Qid}

Event Name: ${EventName}

Event Description: ${EventDescription} Category: ${Category}

DataSource ID: ${DeviceID} Device Name” ${DeviceName} Payload: ${Payload} CustomPropertiesList: ${CustomPropertiesList} </body> <from></from> <to></to> <cc></cc> <bcc></bcc> </template> </templates>

Using Custom

Parameters

The accepted email notification parameters are listed in body.CustomProperty and body.CalculatedProperty parameters, you must create a Table 1. To use the custom event or custom property. For more information, see the STRM Users Guide. Specify one of the following options:

• Property Name - where <Property Name> is the name used to create the custom property.

• Universally Unique Identifier (UUID) - to locate the UUID for a custom property:

Step 1 Log in to the STRM user interface.

Step 2 Click the Admin tab.

Step 3 Click the Custom Event Properties or Custom Flow Property icon.

Step 4 Select the custom property you want to add to your custom email notification.

Step 5 Click Edit.

At the top of the Custom Event Property Definition or Custom Flow Property Definition window, the Universal Resource Locator (URL) is displayed. The UUID is the character string that follows the id= tag. In the following example,

d3591e84-64eb-47e4-92f4-bc41155b81c7 is the UUID:

https://charger/console/do/qradar/arielProperties?appName=qrada r&pageId=ArielPropertiesList&dispatch=edit&id=d3591e84-64eb-47e

4-92f4-bc41155b81c7

Step 6 Edit the custom email notification template contained in the alert-config.xml file. For more information, see Customizing Email Notifications.

Step 7 Add one or both of the following lines to the alert-config.xml file:

body.CustomProperty (d3591e84-64eb-47e4-92f4-bc41155b81c7) body.CalculatedProperty (d3591e84-64eb-47e4-92f4-bc41155b81c7)

(5)

Where <d3591e84-64eb-47e4-92f4-bc41155b81c7> is the UUID you derived in Step 5.

If you have configured custom properties and included custom parameters in your template, STRM will generate emails using the custom parameters you specified.

Accepted

Parameters

The following parameters can be used in custom email notifications:Table 1 Accepted Notification Parameters Common Parameters Event Parameters Flow Parameters

AppName EventCollectorID Type

RuleName DeviceEventId CompoundAppID RuleDescription DeviceId FlowSourceIDs EventName DeviceName SourceASNList EventDescription DeviceTime DestinationASNList EventProcessorId DstPostNATPort InputIFIndexList Qid SrcPostNATPort OutputIFIndexList

Category DstMACAddress AppId

RemoteDestinationIP DstPostNATIPAddress Host Payload DstPreNATIPAddress Port

Credibility SrcMACAddress SourceBytes Relevance SrcPostNATIPAddress SourcePackets Source SrcPreNATIPAddress Direction SourcePort SrcPreNATPort SourceTOS SourceIP DstPreNATPort SourceDSCP

Destination SourcePrecedence DestinationPort DestinationTOS DestinationIP DestinationDSCP DestinationUserName SourceASN Protocol DestinationASN StartTime InputIFIndex Duration OutputIFIndex StopTime FirstPacketTime EventCount LastPacketTime SourceV6 TotalSourceBytes DestinationV6 TotalDestinationBytes UserName TotalSourcePackets DestinationNetwork TotalDestinationPackets SourceNetwork SourceQOS

(6)

6 TECHNICAL NOTE Severity DestinationQOS CustomPropertiesList SourcePayload body.CustomProperty("<UUID | Property Name>") DestinationPayload body.CalculatedProperty("<UUID | Property Name>")

Table 1 Accepted Notification Parameters (continued)

(7)

1194 North Mathilda Avenue Sunnyvale, CA 94089 USA

408-745-2000

www.juniper.net

Copyright © 2012 Juniper Networks, Inc. All rights reserved.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

References

Download now ( PDF - 7 Page - 138.64 KB )

Related documents

Richard L. Crocker - Discant, Counterpoint, And Harmony

(Hence the rule that discant must end with a perfect or middle concord, not an imperfect one; this is the one place where thirds are not recommended.) I t is not

This section includes troubleshooting topics about certificates.

• Solution Use your certificate viewer of choice (OpenSSL, Keychain) to examine the subject and issuer of each certificate to make sure the chain is complete.. • Solution

This workshop covers the following topics:

List view displays a list of the files and folders in the current folder, with no additional information other than the file name and a small icon representing the file

WARNING: THIS POLICY INCLUDES

You must return to Your Home Province or Departure Point prior to any Treatment or following Emergency Treatment or Hospitalization if, on medical evidence, You are able to return

Drug Overdose, Disability & Male Friendship in 15th-c. Mamluk Cairo

boils broke out all over al-Hija¯¯zı zı¯¯’s body, he was unable to eat or sleep, and he lost ’s body, he was unable to eat or sleep, and he lost significant cognitive

THIS TOPIC INCLUDES FOLLOWING THEMES

Apply standard information policies (e. g., retention and disposal) across content in e-mail archiving system and document/content management system(s). Support requirements

This document contains the following topics:

Table 5 lists the file names and host platforms for the component files that are included with the BMC Atrium Dashboards and Analytics - User Add-On license or BMC Atrium

This chapter covers the following topics:

The Campus module of the small network design, which is shown in Figure 13-4, provides end-user workstations, corporate intranet servers, management servers, and the associated Layer