How To Create Custom Emails for ArcSight v1.0

Summary:

The document focuses on enhancing email notification templates for ArcSight Manager, specifically customizing `Email.vm` and `Informative.vm` files or creating a new template (`Infosec.vm`) to improve readability and relevance based on device product type. It explains how to use conditional statements in Velocity Macro (VM) scripting to call appropriate secondary templates and which meta-tags to include for detailed information retrieval. The process involves editing configuration files, understanding ArcSight meta-tags, and ensuring proper syntax usage to avoid unexpected behavior. Key points: 1. Navigate to the `/ARCSIGHT_HOME/Manager/config/notifications` directory. 2. Edit `Email.vm` to call secondary templates based on `deviceProduct` meta-tag values. 3. Customize `Informative.vm` to loop through event meta-tags for better readability. 4. Create or edit `Infosec.vm` to include specific details like source and target addresses, ports, usernames, transport protocols from events. 5. Use placeholders `$introspector.getDisplayValue($event,"fieldName")` for dynamic data insertion. 6. Provide methods (reply via email, log into the ArcSight Console, or access `myArcSight`) to acknowledge notifications.

Details:

The problem involves the default email messages sent by ArcSight Manager which are often plain, cluttered, and hard to read. To solve this issue, one can customize these alerts by editing two files in the /$ARCSIGHT_HOME/Manager/config/notifications directory: Email.vm (master template) and Informative.vm (default secondary template). Email.vm serves as a master template that allows specific secondary templates to be called based on values contained within the deviceProduct meta-tag. The Informative.vm file is designed to loop through event meta-tags, displaying any data present in them across multiple lines. By editing this file, only relevant meta-tags can be displayed in a more readable format. An alternative approach involves creating a new secondary template like Infosec.vm to achieve the same goal. To ensure specific event details are accurately returned, understanding of ArcSight meta-tags and Velocity Macro scripting language is crucial. The #if statement syntax varies based on whether you're comparing string or integer variables; for detailed information refer to pg. 33 of FlexAgentConfig.pdf. Misuse of this can lead to unexpected behavior. The given text describes the process of modifying specific templates, such as `Email.vm`, `Informative.vm`, and `Infosec.vm`, to handle different device products within a notification system. Here's a summary of the steps outlined: 1. **Login and Access**: Use a secure shell application like Putty to log into the Manager interface, then switch to the user account under which ArcSight runs (e.g., SU to arcsight). 2. **Navigate to Directory**: Change the directory to where notifications are configured on the system: `/$ARCSIGHT_HOME/Manager/config/notifications`. 3. **Edit `Email.vm`**: Open `Email.vm` with a text editor (like vi) and add conditional statements using `#if` and `#elseif` to check the value of `deviceProduct`:

• If `deviceProduct` is "InfoSec", include `Infosec.vm`.

• If `deviceProduct` is "Fraud", include `Fraud.vm`.

• Otherwise, use the default template `Informative.vm`.

4. **Edit `Informative.vm`**: Open `Informative.vm` for editing and make any necessary modifications. 5. **Create or Edit `Infosec.vm`**: If `Infosec.vm` does not exist, create it using a text editor. Then add the following details:

• Complete Event Details

• Threat Details including Name, Description, Severity, Source Address, Host Name, and Port.

6. **Save and Close Files**: Save all modified files and close the text editors. This process ensures that notifications are tailored to specific device products, enhancing the clarity and relevance of the information provided in each case. This document outlines the structure of an Infosec.vm template used for event notifications, detailing various details such as source and target addresses, ports, usernames, transport protocols, and other relevant information from an event. The template includes placeholders like `$introspector.getDisplayValue($event,"fieldName")` which are dynamically populated based on the specific event being reported. For example:

• **Source Details**: Includes source address (10.0.26.37), hostname, port (0), and username (xxxx).

• **Target Details**: Includes target address (224.0.0.13), hostname, port (1635), and username (not specified).

• **Extra Information**: Includes transport protocol used (TCP) and the count of base events (1).

The template is designed to be flexible for various event types, allowing adjustments in a similar manner for new or existing `.vm` files. The sample provided demonstrates an internal port scanning event, with details like Event type ("Internal to External Port Scanning"), description, severity, source address, and target information as specified above. This message provides guidance on how to acknowledge a notification, which is essentially confirming that you have received and understood the alert. There are three methods provided for acknowledgment: 1) You can reply directly to this email, making sure to include the unique ID mentioned in the alert within your response. 2) You may also choose to log into the ArcSight Console via a web browser and click on the notification button located at the bottom of the status bar. 3) Alternatively, you can access myArcSight and navigate to the My Notifications Acknowledgment page using this specific URL: https://xxxx:9443/arcsight/app?service=page/NotifyHome. This will allow you to view the full details of the alert before acknowledging it.