5 Replies Latest reply on Feb 14, 2014 4:49 PM by rth67

    Alarm Email Contents

    kmallein

      Hi all

       

      Im trying to get an alarm from a correlation rule I made to give me information in an email. In the email template I dont see any options to tell me if a user was added or deleted. But in the Source Events tab it tells me. How can I get that information into the alarm email? See below

       

       

      Source_Event.JPG

        • 1. Re: Alarm Email Contents
          rth67

          We created several Correlation rules to look for different things, User added to a privileged group, removed from a privileged group, etc.

           

          These then are associated to an alarm, the "Rule Message" tells us whehter it was an Add or a Remove operation.

           

          The body of the custom Alarm Template consist of the following:

           

          [$REPEAT_START]
          [$Rule Message]

          Time : [$First Time]

          Admin: [$%UserIDSrc]

          User : [$%UserIDDst]

          AD Group : [$%ObjectID]

          Domain: [$%DomainID]

          Signature ID: [$Signature ID]

          [$REPEAT_END]

           

          Message was edited by: rth67 on 2/3/14 9:39:48 AM CST
          • 2. Re: Alarm Email Contents
            kmallein

            Does your alarm give you the actual User information in the email?

             

            I have that User : [$%UserIDDst] in the template and that field is always blank.

             

            In your correlation rule do you have something that looks at just users?

            • 3. Re: Alarm Email Contents
              rth67

              Yes the alarm email we receive has both the user who made the change, and the user being changed.

              The ACE Correlation Rule's which trigger the alarm look like this:

               

              User Added to Privileged Group

              Group By: Destination User

              Filter Logic

                   Signature ID (In) [43-263047280,43-263047320,43-263047560]

                   ObjectID (In) [Privileged AD Groups] (This is a Watchlist - "object" that includes the Administrators, DnsAdmins, Domain Admins, Enterprise Admins, Schema Admins)

                   Event Subtype (In) [success]

                   UserIDSrc (Not In) [DOMAIN_CONTROLLERS_SOURCE_USER] (This is a watchlist of our DC's names with the $ on the end as the source user - to avoid replicated events)

               

              The second correlation rule for "User Removed from Privileged Group" is basically the same, the only exception is the Signature ID's being monitored:

                   Signature ID (In) [43-2630477290,43-263047330,43-263047570]

               

              We are currently running version 9.3.1

              • 4. Re: Alarm Email Contents
                dcobes

                This is great info! I love when people will share alarm email templates and correlation rules.

                 

                One question for rth67, in your email template, what is the purpose of  [$REPEAT_START] and [$REPEAT_END] ? Does this essentially say add all details between start and stop for each event that triggers (if more than one event)?

                 

                -d

                • 5. Re: Alarm Email Contents
                  rth67

                  The "Repeat  Start" and "Repeat End" are to allow for multiple reults in one email.

                  Let's say your Alarm is set to only email once an hour but multiple events happen in that hour, the repeat function allows the details from all events to be placed in to the body of the email.