In the Template tab, enter the alert text. In addition to fixed test, you can send data related to the triggered alert or its log records.
|
Name |
Description |
|---|---|
|
{ANALYTICS_RULE_NAME} |
The name of the analytics rule. |
|
{ANALYTICS_RULE_DESCRIPTION} |
A description of the analytics rule. |
|
{NAME} |
The name of a specific triggered alert. |
|
{TIME} |
The time when the analytics rule was triggered. |
|
{TRIGGERED_ALERTS_NUMBER} |
The number of triggered alerts. |
|
{FIRST_TRIGGERED_ALERT_TIME} |
The time when the first triggered alert occurred. |
|
{LAST_TRIGGERED_ALERT_TIME} |
The time when the last triggered alert occurred. |
|
{TRIGGERED_ALERTS_NAMES} |
The list of triggered alert names if grouping is used. |
|
{FIRST_EVENT_TIME} |
The time of the first event included in the triggered alert for the analytics rule. |
|
{LAST_EVENT_TIME} |
The time of the last event included in the triggered alert for the analytics rule. |
|
{THREAT_LEVEL} |
The specified threat level. |
|
{CATEGORY} |
The category to which the triggered alert belongs. |
|
{PRIORITY} |
The priority of the triggered analytics rule alert. |
|
{ADMINISTRATOR_NAME} |
The name of the administrator who created the analytics rule. |
|
{USER_NAME} |
The username. |
|
{SOURCE_ZONE} |
The source zone. |
|
{DESTINATION_ZONE} |
The destination zone. |
|
{SOURCE_COUNTRY} |
The source country. |
|
{DESTINATION_COUNTRY} |
The destination country. |
|
{SOURCE_IP} |
The source IP address. |
|
{SOURCE_PORT} |
The source port. |
|
{DESTINATION_IP} |
The destination IP address. |
|
{DESTINATION_PORT} |
The destination port. |
|
{SOURCE_ZONE_ALL} |
The source zones of all events that caused the triggered alert. |
|
{DESTINATION_ZONE_ALL} |
The destination zones of all events that caused the triggered alert. |
|
{SOURCE_COUNTRY_ALL} |
The source countries of all events that caused the triggered alert. |
|
{DESTINATION_COUNTRY_ALL} |
The destination countries of all events that caused the triggered alert. |
|
{SOURCE_IP_ALL} |
The source IP addresses of all events that caused the triggered alert. |
|
{SOURCE_PORT_ALL} |
The source port numbers of all events that caused the triggered alert. |
|
{DESTINATION_IP_ALL} |
The destination IP addresses of all events that caused the triggered alert. |
|
{DESTINATION_PORT_ALL} |
The destination port numbers of all events that caused the triggered alert. |
Note
The field is case-sensitive. The parameter names must be entered in UPPERCASE in curly brackets (as shown in the table).
To send data related to the triggered alert, enter the corresponding parameter name from the table into the text field in the Template tab. For example, if you enter {ANALYTICS_RULE_NAME}, the email, SMS, or webhook alert text will show the name of the triggered analytics rule. If you fill in the template at the time of configuring the Create incident action, the text will be displayed in the incident description.