Tutorial: Create a Policy to Send Emails Triggered by Events

Applies to Product: USM Appliance™ AlienVault OSSIM®

For certain important events, you may want a notification to be sent to you or your team to inform them immediately. This process describes how to create the policies that enable these notices.

Create an Action to Send Email

The following procedure shows how to create the action to send an email as a result of your policy. For the emails to be sent successfully, you must also be sure to set up the mail relay server. For further information, see Configure Mail Relay in USM Appliance.

To create an action to send an email

  1. Go to Configuration > Threat Intelligence, and click the ACTIONS tab.
  2. Click New.
  3. Fill out all of the required fields. In the TYPE field, select Send an email message.
  4. To send the message to multiple recipients, enter their email addresses in the TO field, separated with a semi-colon(;).
  5. Click Save to save your changes when finished.

    New Actions page with Send an email message highlighted for Type.

Create Conditions to Trigger an Email

This procedure configures the conditions for when certain external events target a specific server in your network.

To create policy conditions for external events

  1. Go to Configuration > Threat Intelligence > Policy > Default Policy Group and select New.
  2. From the Policy Conditions section, choose your source.

  3. Select the IP address of the critical server as asset for the destination policy condition. In this example, we are using 172.16.0.1.
  4. Policy Configuration page with a critical server highlighted.

  5. Click Add More Conditions, and select Reputation as a policy condition.
  6. Change the Reputation Parameters values as follows:

    1. Activity — Select Malicious Host.
    2. Priority — Select > 4.
    3. Reliability — Select > 8.
    4. Direction — Select Destination, because you want to detect any attacks on the server whose IP address you used as a Destination condition.
  7. Click Add New.
  8. Policy Configuration page with Destination selected for Policy Conditions section.

    You can now see both the Destination and Reputation in the upper part of the page.

Assign the Action as a Consequence

This procedure shows how to link the action to send the email as a consequence.

To create a consequence consisting of an action

  1. Go to Configuration > Threat Intelligence > Policy.
  2. Select the desired policy rule and click the Modifybutton.
  3. Scroll down the page and expand the Policy Consequences section.
  4. In the Actions section, select which action you want to assign from the Available Actions section on the right.

  5. Add it by clicking the plus (+) sign, or by dragging it to the Active Actions section.

    Assign Policy Actions

  6. Click the Update Policy button to save your changes and exit the policy modify page.
  7. Click the Reload Policies button on the main policies page to refresh and display the changes.

    Reset Properties in Policy

  8. Move the policy to a desired position on the list. See Policy Order and Grouping for details.

Related Video Content

To view other related training videos, click here.