0 Replies Latest reply on Mar 10, 2016 11:02 AM by shage1966

    ProTip - SIEM Email Alerts in rich HTML format - Code included HERE!

    shage1966

      BACKGROUND: 

      I was tired of the super-simple Email alerts from McAfee ESM.  I found them hard to read on a PC and almost impossible on a mobile device.  I tried embedding HTML and inline CSS into the email message body and it worked well.  Below you will see that I create an HTML5 document object and make extensive use of inline style elements. 

      The templates I created work well on mobile devices as they have fluid table layouts.  I will try again to paste an image in the discussion (no luck so far).

       

      If you look at the document body past the closing </style> tag you will see the same data binding syntax as a normal Email template uses.   Modify to your liking.  Enjoy!

       

      NOTE:  There are 2 formats for this template:

      - ELM-style where there is a single alarm with a single event detail.

      - ACE-style where there is a single alarm with many event details.

       

      How to use:

      1. In ESM --> System Properties --> Alarms --> Settings --> Templates.

      2. Add a new Email Template

      3. Select the code from one of the template sections (not both!) below to your clipboard

      4. Paste into the Message Body of your new template

       

      ~~~~~~~~~ ELM-style Template Starts Here ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~

       

      <!DOCTYPE html>

      <html>

      <head>

        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

        <meta name="viewport" content="width=device-width, initial-scale=1.0"/>

      </head>

      <body>

        <style>

            html {

              text-rendering: optimizeLegibility !important;

              -webkit-font-smoothing: antialiased !important;

              position: relative;

            }

            body {

              font-family: sans-serif;

              font-size: 12px;

              position: relative;

            }

            div {

              position: relative;

            }

       

       

            .email_header {

              border-top: 1px solid #333;

              border-bottom: 1px solid #333;

              width: 1024px;

            }

            .email_sub_header {

              font-size: 13px;

              color: #333;

              width: 1024px;

            }

            .email_sub_header_2 {

              background-color: #888;

              font-size: 12px;

              width: 1024px;

            }

            .email_event_data {

              background-color: #eee;

              font-size: 11px;

              width: 1024px;

              padding: 2px;

            }

            .col1 {

              text-transform: uppercase;

              font-size: 12px;

              color: #555;

              text-indent: 2px;

            }

            .col2 {

              overflow: auto;

              font-size: 12px;

              text-transform: capitalize;;

              color: #333;

            }

            .col1header {

              text-transform: uppercase;

              font-size: 12px;

              font-weight: 500;

              background-color: #444;

              color: #efefef;

              text-indent: 4px;

              padding-top: 3px;

              padding-bottom: 3px;

              width: 180px;

            }

            .col2header {

              text-transform: uppercase;

              font-size: 12px;

              font-weight: 500;

              background-color: #444;

              color: #efefef;

              text-indent: 4px;

              padding-top: 3px;

              padding-bottom: 3px;

            }

            .center {

              text-align: center;

            }

            .leftPane {

              width: 50%;

            }

            .test {

              width: 1024px;

              height: 20px;

            }

       

       

        </style>

       

       

      <table class="email_header">

        <tr>

          <td class="col1header">ELM ALARM</td>

          <td class="col2header">[$Alarm Name]</td>

        </tr>

        <tr>

          <td class="col1">ELM RULE</td>

          <td class="col2">[$Rule Message]</td>

        </tr>

        <tr>

          <td class="col1">SUMMARY</td>

          <td class="col2">[$Alarm Summary]</td>

        </tr>

         <tr>

          <td class="col1">ELM DEVICE</td>

          <td class="col2">[$Device Name]</td>

        </tr>

        <tr>

          <td class="col1" style="background-color: #fff;">TRIGGERED</td>

          <td class="col2" style="background-color: #fff;">[$Trigger Date]</td>

        </tr>

      </table>

       

       

      <table class="email_sub_header_2">

        <tr>

          <td class="center" style="font-size: 12px; font-weight: bold; color: #fff;">

            THIS IS A SINGLE ELM ALARM ALERT.   BELOW SHOULD BE A SINGLE ALARM THAT CAUSED THIS ALERT.

            <br>

            ELM: Enterprise Log Manager

          <td>

        </tr>

      </table>

      <br>

      <table class="email_header" style="background-color: #fcfcff;">

        <tr>

          <td class="col1header">ELM Device Name</td>

          <td class="col2header">[$Device Name]</td>

        </tr>

        <tr>

          <td class="col1" style="font-weight: 500;">ELM Rule</td>

          <td class="col2" style="font-weight: 800;">[$Rule Message]</td>

        </tr>

        <tr>

          <td class="col1">Alarm Summary</td>

          <td class="cols2">[$Alarm Summary]</td>

        </tr>

        <tr>

          <td class="col1">

            <div style="color: #ff9900; font-weight: bold;">Event Count</div>

          </td>

          <td class="col2">

            <div style="color: #ff9900; font-weight: bold;">[$Event Count]</div>

          </td>

        </tr>

        <tr>

          <td class="col1">

            <div style="color: #ff9900; font-weight: bold;">Alarm Name</div>

          </td>

          <td class="col2">

            <div style="color: #ff9900; font-weight: bold;">[$Alarm Name]</div>

          </td>

        </tr>

        <tr>

          <td class="col1">

            <div style="color: #ff9900; font-weight: bold;">Alarm Severity</div>

          </td>

          <td class="col2">

            <div style="color: #ff9900; font-weight: bold;">[$Alarm Severity]</div>

          </td>

        </tr>

        <tr>

          <td class="col1">Type / Result</td>

          <td class="col2" style="text-transform: uppercase; font-weight: 800;">[$Event Subtype]</td>

        </tr>

        <tr>

            <td class="col1">Source IP</td>

            <td class="col2">[$Source IP]</td>

        </tr>

        <tr>

          <td class="col1">Source Name</td>

          <td class="col2">[$Source Name]</td>

        </tr>

        <tr>

          <td class="col1">Source User</td>

          <td class="col2">[$%UserIDSrc]</td>

        </tr>

       

       

        <tr>

          <td class="col1">Destination IP</td>

          <td class="col2">[$Destination IP]</td>

        </tr>

        <tr>

          <td class="col1">Destination Port</td>

          <td class="col2">[$Destination Port]</td>

        </tr>

        <tr>

          <td class="col1">Destination User</td>

          <td class="col2">[$UserIDDst]</td>

        </tr>

        <tr>

            <td class="col1">Protocol</td>

            <td class="col2" style="text-transform: uppercase;">[$Protocol]</td>

        </tr>

        <tr>

          <td class="col1">Application</td>

          <td class="col2" style="text-transform: uppercase;">[$%AppID]</td>

        </tr>

        <tr>

          <td class="col1">Command</td>

          <td class="col2" style="text-transform: uppercase;">[$%CommandID]</td>

        </tr>

        <tr>

            <td class="col1">First Time</td>

            <td class="col2">[$First Time]</td>

        </tr>

        <tr>

          <td class="col1">Last Time</td>

          <td class="col2">[$Last Time]</td>

        </tr>

        <tr>

            <td class="col1">Source Zone</td>

            <td class="col2" style="text-transform: uppercase;">[$%Source_Zone]</td>

        </tr>

        <tr>

          <td class="col1">Geo Source</td>

          <td class="col2">[$Geolocation Source]</td>

        </tr>

         <tr>

          <td class="col1">Geo Dest</td>

          <td class="col2">[$Geolocation Destination]</td>

        </tr>

         <tr>

            <td class="col1">URL</td>

            <td class="col2">[$%URL]</td>

        </tr>

        <tr style="border-bottom: 1px solid #ee8800;">

          <td class="col1">SigID</td>

          <td class="col2">[$Signature ID]</td>

        </tr>

       

      </table>

       

      <div class="test">&nbsp</div>

       

        <div style="padding-top: 10px; font-size: 10px; color: #666;">

        ELM Single Alarm Template - HTML

        </div>

       

      </body>

      </html>

       

      ~~~~~~~ ELM-style Template End ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

      ~~~~~~~ ACE-style Template Start ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

       

      <!DOCTYPE html>

      <html>

      <head>

        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

        <meta name="viewport" content="width=device-width, initial-scale=1.0"/>

      </head>

      <body>

        <style>

            html {

              text-rendering: optimizeLegibility !important;

              -webkit-font-smoothing: antialiased !important;

              max-width: 1200px;

              position: relative;

            }

            body {

              font-family: sans-serif;

              font-size: 14px;

            }

            .email_header {

              border-top: 1px solid #333;

              border-bottom: 1px solid #333;

              width: 100%;

              padding: 2px;

            }

            .email_sub_header {

              font-size: 13px;

              color: #333;

              width: 100%;

              padding: 2px;

            }

            .email_sub_header_2 {

              background-color: #eee;

              font-size: 12px;

              width: 100%;

              padding: 2px;

            }

            .email_event_data {

              background-color: #eee;

              font-size: 11px;

              width: 100%;

              padding: 2px;

            }

            .col1 {

              text-transform: uppercase;

              width: 120px;

              font-size: 12px;

              color: #666;

            }

            .col2 {

              width: 800px;

              color: #444;

            }

            .bigOrange {

              font-size: 16px;

              font-weight: bold;

              color: #Ff9900;

            }

            .center {

              text-align: center;

            }

       

       

        </style>

       

       

      <table class="email_header">

        <tr>

          <td class="col1">ACE ALARM</td>

          <td class="col2" style="color: #000; font-weight: bold">[$Alarm Name]</td>

        </tr>

        <tr>

          <td class="col1">ACE RULE</td>

          <td class="col2">[$Rule Message]</td>

        </tr>

        <tr>

          <td class="col1">SUMMARY</td>

          <td class="col2">[$Alarm Summary]</td>

        </tr>

         <tr>

          <td class="col1">ACE DEVICE</td>

          <td class="col2">[$Device Name]</td>

        </tr>

        <tr>

          <td class="col1" style="background-color: #fff;">TRIGGERED</td>

          <td class="col2" style="background-color: #fff;">[$Trigger Date]</td>

        </tr>

      </table>

       

       

      <table class="email_sub_header_2">

        <tr>

          <td class="center" style="font-size: 12px; font-weight: bold; color: #444;">

            THIS IS AN ACE MULTI-EVENT ALERT.   BELOW ARE THE INDIVIDIAL SOURCE EVENTS.

          <td>

        </tr>

      </table>

       

      [$REPEAT_START]

      [$SOURCE_EVENTS_START]

      <br>

      <table class="email_header" style="background-color: #f9f9ff;">

        <tr>

          <td class="col1" style="font-weight 500;">ELM Device Name</td>

          <td class="col2" style="color: #222; font-weight: 800;">[$Device Name]</td>

        </tr>

        <tr>

          <td class="col1" style="font-weight: 500;">ELM Rule</td>

          <td class="col2" style="font-weight: 800;">[$Rule Message]</td>

        </tr>

        <tr>

          <td class="col1">Alarm Summary</td>

          <td class="cols2">[$Alarm Summary]</td>

        </tr>

        <tr>

          <td class="col1">

            <div style="color: #ff9900; font-weight: bold;">Event Count</div>

          </td>

          <td class="col2">

            <div style="color: #ff9900; font-weight: bold;">[$Event Count]</div>

          </td>

        </tr>

        <tr>

          <td class="col1">Type/Result</td>

          <td class="col2" style="">[$Event Subtype]</td>

        </tr>

        <tr>

          <td class="col1">Source IP</td>

          <td class="col2">[$Source IP]</td>

        </tr>

       

        <tr>

          <td class="col1">Source Name</td>

          <td class="col2">[$Source Name]</td>

        </tr>

        <tr>

          <td class="col1">Source User</td>

          <td class="col2">[$%UserIDSrc]</td>

        </tr>

       

       

        <tr>

          <td class="col1">Destination IP</td>

          <td class="col2">[$Destination IP]</td>

        </tr>

        <tr>

          <td class="col1">Protocol</td>

          <td class="col2">[$Protocol]</td>

        </tr>

       

       

        <tr>

          <td class="col1">Destination Port</td>

          <td class="col2">[$Destination Port]</td>

        </tr>

        <tr>

          <td class="col1">Destination User</td>

          <td class="col2">[$UserIDDst]</td>

        </tr>

        <tr>

          <td class="col1">Application</td>

          <td class="col2">[$%AppID]</td>

        </tr>

        <tr>

          <td class="col1">Command</td>

          <td class="col2">[$%CommandID</td>

        </tr>

       

       

        <tr>

          <td class="col1">First Time</td>

          <td class="col2">[$First Time]</td>

        </tr>

       

       

        <tr> 

          <td class="col1">Last Time</td>

          <td class="col2">[$Last Time]</td>

        </tr>

        <tr>

          <td class="col1">Source Zone</td>

          <td class="col2">[$%Source_Zone]</td>

        </tr>

        <tr>

          <td class="col1">Geo Source</td>

          <td class="col2">[$Geolocation Source]</td>

        </tr>

         <tr>

          <td class="col1">Geo Dest</td>

          <td class="col2">[$Geolocation Destination]</td>

        </tr>

         <tr>

          <td class="col1">URL</td>

          <td class="col2">[$%URL]</td>

        </tr>

        <tr>

          <td class="col1">SigID</td>

          <td class="col2">[$Signature ID]</td>

        </tr>

       

      </table>         

       

        [$SOURCE_EVENTS_END]

        [$REPEAT_END]

        <div style="padding-top: 10px; font-size: 10px; color: #666;">

        SigID: [$Signature ID]

        Template: Put your Template Name Here

        </div>

      </body>

      </html>

       

      ~~~~~~~~~ ACE-style Template End ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

       

      Message was edited by: Sheldon Hage