Notification templates

Resource settings

Notification template resources are used in alert generation notifications.

Notification template resource settings:

• Name (required)—a unique name for this type of resource. Must contain from 1 to 128 Unicode characters.
• Tenant (required)—name of the tenant that owns the resource.
• Subject (required)—subject of the email containing the notification about the alert generation. In the email subject, you can refer to the alert fields.

  Example: New alert in KUMA: {{.CorrelationRuleName}}. In place of {{.CorrelationRuleName}}, the subject of the notification message will include the name of the correlation rule contained in the CorrelationRuleName alert field.

• Template (required)—the body of the email containing the notification about the alert generation. The template supports a syntax that can be used to populate the notification with data from the alert.

  For convenience, you can open the email in a separate window by clicking the icon. This opens the Template window in which you can edit the text of the notification message. Click Save to save the changes and close the window.

Notification template syntax

In a template, you can query the alert fields containing a string or number:

{{ .CorrelationRuleName }}

The message will display the alert name, which is the contents of the CorrelationRuleName field.

Some alert fields contain data arrays. For instance, these include alert fields containing related events, assets, and user accounts. Such nested objects can be queried by using the range function, which sequentially queries the fields of the first 50 nested objects. When using the range function to query a field that does not contain a data array, an error is returned. Example:

{{ range .Assets }} Device: {{ .DisplayName }}, creation date: {{ .CreatedAt }} {{ end }}

The message will display the values of the DeviceHostName and CreatedAt fields from 50 assets related to the alert:

Device: <DisplayName field value from asset 1>, creation date: <CreatedAt field value from asset 1> Device: <DisplayName field value from asset 2>, creation date: <CreatedAt field value from asset 2> ... // 50 strings total

You can use the limit parameter to limit the number of objects returned by the range function:

{{ range (limit .Assets 5) }} <strong>Device</strong>: {{ .DisplayName }}, <strong>Creation date</strong>: {{ .CreatedAt }} {{ end }}

The message will display the values of the DisplayName and CreatedAt fields from 5 assets related to the alert, with the words "Devices" and "Creation date" marked with HTML tag <strong>:

<strong>Device</strong>: <DeviceHostName field value from asset 1>, <strong>Creation date</strong>: <value of the CreatedAt field from asset 1> <strong>Device</strong>: <DeviceHostName field value from asset N>, <strong>Creation date</strong>: <CreatedAt field value from asset N> ... // 10 strings total

Nested objects can have their own nested objects. They can be queried by using nested range functions:

{{ range (limit .Events 5) }}     {{ range (limit .Event.BaseEvents 10) }}     Service ID: {{ .ServiceID }}     {{ end }} {{ end }}

The message will show ten service IDs (ServiceID field) from the base events related to five correlation events of the alert. 50 strings total. Please note that events are queried through the nested EventWrapper structure, which is located in the Events field in the alert. Events are available in the Event field of this structure, which is reflected in the example above. Therefore, if field A contains nested structure [B] and structure [B] contains field C, which is a string or a number, you must specify the path {{ A.C }} to query field C.

Some object fields contain nested dictionaries in key-value format (for example, the Extra event field). They can be queried by using the range function with the variables passed to it: range $placeholder1, $placeholder2 := .FieldName. The values of variables can then be called by specifying their names. Example:

{{ range (limit .Events 3) }}     {{ range (limit .Event.BaseEvents 5) }}     List of fields in the Extra event field: {{ range $name, $value := .Extra }} {{ $name }} - {{ $value }}<br> {{ end }}     {{ end }} {{ end }}

The message will use an HTML tag<br> to show key-value pairs from the Extra fields of the base events belonging to the correlation events. Data is called from five base events out of each of the three correlation events.

You can use HTML tags in notification templates to create more complex structures. Below is an example table for correlation event fields:

<style type="text/css">   TD, TH {     padding: 3px;     border: 1px solid black;   } </style> <table>   <thead>     <tr>         <th>Service name</th>         <th>Name of the correlation rule</th>         <th>Device version</th>     </tr>   </thead>   <tbody>     {{ range .Events }}     <tr>         <td>{{ .Event.ServiceName }}</td>         <td>{{ .Event.CorrelationRuleName }}</td>         <td>{{ .Event.DeviceVersion }}</td>     </tr>     {{ end }}   </tbody> </table>

Use the link_alert function to insert an HTML alert link into the notification email:

{{link_alert}}

A link to the alert window will be displayed in the message.

Page top