Notification templates

Notification templates are used in alert generation notifications.

Notification template settings

Setting

Description

Name

Required setting.

Unique name of the resource. Must contain 1 to 128 Unicode characters.

Tenant

Required setting.

The name of the tenant that owns the resource.

Subject

Subject of the email containing the notification about the alert generation. In the email subject, you can refer to the alert fields.

Example: New alert in KUMA: {{.CorrelationRuleName}}. In place of {{.CorrelationRuleName}}, the subject of the notification message will include the name of the correlation rule contained in the CorrelationRuleName alert field.

Template

Required setting.

The body of the email containing the notification about the alert generation. The template supports a syntax that can be used to populate the notification with data from the alert. You can read more about the syntax in the official Go language documentation.

For convenience, you can open the email in a separate window by clicking the full-screen icon. This opens the Template window in which you can edit the text of the notification message. Click Save to save the changes and close the window.

Predefined notification templates.

The notification templates listed in the table below are included in the KUMA distribution kit.

Predefined notification templates.

Template name

Description

[OOTB] New alert in KUMA

Basic notification template.

Functions in notification templates

Functions available in templates are listed in the table below.

Functions in templates

Setting

Description

date

Takes the time in milliseconds (unix time) as the first parameter; the second parameter can be used to pass the time in RFC standard format. The time zone cannot be changed.

Example call: {{ date .FirstSeen "02 Jan 06 15:04" }}

Call result: 18 Nov 2022 13:46

Examples of date formats supported by the function:

  • "02 Jan 06 15:04 MST"
  • "02 Jan 06 15:04 -0700"
  • "Monday, 02-Jan-06 15:04:05 MST"
  • "Mon, 02 Jan 2006 15:04:05 MST"
  • "Mon, 02 Jan 2006 15:04:05 -0700"
  • "2006-01-02T15:04:05Z07:00"

limit

The function is called inside the range function to limit the list of data. It processes lists that do not have keys, takes any list of data as the first parameter and truncates it based on the second value. For example, the .Events, .Assets, .Accounts, and .Actions alert fields can be passed to the function.

Example call:

{{ range (limit .Assets 5) }}

<strong>Device</strong>: {{ .DisplayName }},

<strong>Creation date</strong>: {{ .CreatedAt }}

{{ end }}

link_alert

Generates a link to the alert with the URL specified in the SMTP server connection settings as the KUMA Core server alias or with the real URL of the KUMA Core service if no alias is defined.

Example call:

{{ link_alert }}

link

Takes the form of a link that can be followed.

Example call:

{{ link "https://support.kaspersky.com/KUMA/2.1/en-US/233508.htm" }}

Notification template syntax

In a template, you can query the alert fields containing a string or number:

{{ .CorrelationRuleName }}

The message will display the alert name, which is the contents of the CorrelationRuleName field.

Some alert fields contain data arrays. For instance, these include alert fields containing related events, assets, and user accounts. Such nested objects can be queried by using the range function, which sequentially queries the fields of the first 50 nested objects. When using the range function to query a field that does not contain a data array, an error is returned. Example:

{{ range .Assets }}

Device: {{ .DisplayName }}, creation date: {{ .CreatedAt }}

{{ end }}

The message will display the values of the DeviceHostName and CreatedAt fields from 50 assets related to the alert:

Device: <DisplayName field value from asset 1>, creation date: <CreatedAt field value from asset 1>

Device: <DisplayName field value from asset 2>, creation date: <CreatedAt field value from asset 2>

...

// 50 strings total

You can use the limit parameter to limit the number of objects returned by the range function:

{{ range (limit .Assets 5) }}

<strong>Device</strong>: {{ .DisplayName }},

<strong>Creation date</strong>: {{ .CreatedAt }}

{{ end }}

The message will display the values of the DisplayName and CreatedAt fields from 5 assets related to the alert, with the words "Devices" and "Creation date" marked with HTML tag <strong>:

<strong>Device</strong>: <DeviceHostName field value from asset 1>,

<strong>Creation date</strong>: <value of the CreatedAt field from asset 1>

<strong>Device</strong>: <DeviceHostName field value from asset N>,

<strong>Creation date</strong>: <CreatedAt field value from asset N>

...

// 10 strings total

Nested objects can have their own nested objects. They can be queried by using nested range functions:

{{ range (limit .Events 5) }}

    {{ range (limit .Event.BaseEvents 10) }}

    Service ID: {{ .ServiceID }}

    {{ end }}

{{ end }}

The message will show ten service IDs (ServiceID field) from the base events related to five correlation events of the alert. 50 strings total. Please note that events are queried through the nested EventWrapper structure, which is located in the Events field in the alert. Events are available in the Event field of this structure, which is reflected in the example above. Therefore, if field A contains nested structure [B] and structure [B] contains field C, which is a string or a number, you must specify the path {{ A.C }} to query field C.

Some object fields contain nested dictionaries in key-value format (for example, the Extra event field). They can be queried by using the range function with the variables passed to it: range $placeholder1, $placeholder2 := .FieldName. The values of variables can then be called by specifying their names. Example:

{{ range (limit .Events 3) }}

    {{ range (limit .Event.BaseEvents 5) }}

    List of fields in the Extra event field: {{ range $name, $value := .Extra }} {{ $name }} - {{ $value }}<br> {{ end }}

    {{ end }}

{{ end }}

The message will use an HTML tag<br> to show key-value pairs from the Extra fields of the base events belonging to the correlation events. Data is called from five base events out of each of the three correlation events.

You can use HTML tags in notification templates to create more complex structures. Below is an example table for correlation event fields:

<style type="text/css">

  TD, TH {

    padding: 3px;

    border: 1px solid black;

  }

</style>

<table>

  <thead>

    <tr>

        <th>Service name</th>

        <th>Name of the correlation rule</th>

        <th>Device version</th>

    </tr>

  </thead>

  <tbody>

    {{ range .Events }}

    <tr>

        <td>{{ .Event.ServiceName }}</td>

        <td>{{ .Event.CorrelationRuleName }}</td>

        <td>{{ .Event.DeviceVersion }}</td>

    </tr>

    {{ end }}

  </tbody>

</table>

Use the link_alert function to insert an HTML alert link into the notification email:

{{link_alert}}

A link to the alert window will be displayed in the message.

Below is an example of how you can extract the data on max asset category from the alert data and place it in the notifications:

{{ $criticalCategoryName := "" }}{{ $maxCategoryWeight := 0 }}{{ range .Assets }}{{ range .CategoryModels }}{{ if gt .Weight $maxCategoryWeight }}{{ $maxCategoryWeight = .Weight }}{{ $criticalCategoryName = .Name }}{{ end }}{{ end }}{{ end }}{{ if gt $maxCategoryWeight 1 }}

Max asset category: {{ $criticalCategoryName }}{{ end }}

Page top