How To Create Custom Emails for ArcSight v1.0

Summary:

This document outlines a method for customizing email alerts in ArcSight by editing two files within the `/ARCSIGHT_HOME/Manager/config/notifications` directory. The customization is achieved through Velocity Macro (VM), which allows users to manipulate meta-tags to include specific details relevant to different types of alerts. Key steps involve understanding various ArcSight meta-tags, using the `#if` statement for comparisons, and creating new template files like `Infosec.vm`. The article provides detailed instructions on how to modify `Email.vm`, `Informative.vm`, and a new template file named `Infosec.vm`. It explains string and integer comparison formats within VM and the importance of ensuring meta-tags are compatible when using these statements. The process requires logging into ArcSight Manager via secure shell application, changing directory to the specified path, editing files, and adding or modifying specific lines. `Infosec.vm` is a customizable template for event notifications that includes sections such as Notification ID, Escalation Level, Source Details, Target Details, and Extra Information. This template can be modified for different types of alerts, ensuring critical information is conveyed clearly. Users are guided on how to respond to the notification through options like email reply, accessing the ArcSight Console, or using myArcSight for managing notifications.

Details:

The article outlines a solution for customizing email alerts in ArcSight, enhancing their readability and clarity by editing two files within the `/ARCSIGHT_HOME/Manager/config/notifications` directory. These files are `Email.vm` and `Informative.vm`. By using Velocity Macro (VM), which is a Java scripting language, users can manipulate meta-tags to include specific details relevant to different types of alerts. To create more informative email messages, one must first understand the various ArcSight meta-tags and their formats, such as String, TimeStamp, Integer, etc. The article provides detailed steps on how to modify `Email.vm`, `Informative.vm`, and a new template file named `Infosec.vm`. For instance, if the value of `deviceProduct` matches "InfoSec", it uses `Infosec.vm`; if it matches "Fraud", it uses `Fraud.vm`. If neither condition is met, it defaults to `Informative.vm`. The article also explains how to use the `#if` statement within VM for comparing meta-tags. For string comparisons, the format is `#if( $introspector.getDisplayValue($event, "deviceProduct") == "InfoSec" )`, while for integer values, it becomes `#if( $introspector.getDisplayValue($event, "deviceProduct").value() ==

)`. It's crucial to ensure meta-tags are compatible when using these statements. The steps provided include logging into the ArcSight Manager via a secure shell application, changing directory to the specified path, editing `Email.vm` and creating new template files like `Infosec.vm`, with detailed instructions on what lines to add or modify within each file. The provided text appears to be a documentation or an example of how to configure and use a specific template, "Infosec.vm," for event notifications within the ArcSight system. This template is used to define the format and content of notification messages that are sent to users when certain events occur in their network. The template includes sections such as:

• **Notification ID:** A unique identifier for the alert.

• **Escalation Level:** The urgency level assigned to the event.

• **Source Details:** Includes details like source address, hostname (if available), port information, and username.

• **Target Details:** Information about the target, including its IP address, hostname, port, and username.

• **Extra Information:** This includes transport protocol used and the count of base events detected.

The example provided shows a sample notification with details such as:

• Event type: Internal to External Port Scanning

• Description: Internal to External Port Scanning Activity Detected; Investigate Business Need for Activity

• Severity level: 2

• Source Address: 10.0.26.37

• Source Host Name: (blank)

• Source Port: 0

• Target Address: 224.0.0.13

• Target Host Name: (blank)

• Target Port: 1635

• Transport Protocol: TCP

• Base Event Count: 1

The template is designed to be customizable and can be modified for different types of notifications or events, ensuring that critical information is conveyed clearly and efficiently. Users are advised on how to respond to the notification, including options such as email reply, accessing the ArcSight Console, or using myArcSight for managing notifications.