Skip to content

Sending notifications via email

Write notifications in TeskaLabs SP-Lang. If you're writing a notification for a detection, write the email notification in the trigger section.

Important

For notifications that send emails, you need to create an email template in the Library to connect with. This template includes the actual text that the recipient will see, with blank fields that change based on what the detected activity is (using Jinja templates), including which logs are involved in the detection, and any other information you choose. The notification section in the detection rule is what populates the blank fields in the email template. You can use a single email template for multiple detection rules.

Example:

Use this example as a guide. Click the icons to learn what each line means.

trigger: #(1)
  - notification: #(2)
      type: email #(3)
      template: "/Templates/Email/Notification.md" #(4)
      to: [email@example.com] #(5)
      variables: #(6)
        !DICT #(7)
        type: "{str:any}" #(8)
        with: #(9)
          name: Notification from the detection X #(10)
          events: !ARG EVENTS #(11)
          address: !ITEM EVENT client.address #(12)
          description: Detection of X by TeskaLabs LogMan.io #(13)

  1. Indicates the beginning of the trigger section.

  2. Indicates the beginning of the notification section.

  3. To send an email, write email for type.

  4. This tells the notification where to get the email template from. You need to specify the filepath (or location) of the email template in the Library. In this example, the template is in the Library, in the Templates folder, in the Email subfolder, and it’s called Notification.md.

  5. Write the email address where you want the email to go.

  6. Begins the section that gives directions for how to fill the blank fields from the email template.

  7. An SP-Lang expression that creates a dictionary so you can use key-value pairs in the notification. (The key is the first word, and the value is what follows.) Always include !DICT.

  8. Always make type "{str:any}" so that the values in the key-value pairs can be in any format (numbers, words, arrays, etc.).

  9. Always include with, because it begins the list of fields from the email template. Everything nested under with is a field from the email template.

  10. The name of the detection rule, which should be understandable to the recipient

  11. events is the key, or field name, and !ARG EVENTS is an SP-Lang expression that lists the logs that caused a positive detection from the detection rule.

  12. address is the key, or field name, and !ITEM EVENT client.address gets the value of the field client.address from each log that caused a positive detection from the detection rule.

  13. Your description of the event, which needs to be very clear and accurate

Populating the email template

name, events, address, and description are fields in the email template in this example. Always make sure that the keys you write in the with section match the fields in your email template.

notification and email template comparison

The fields name and description are static text values - they stay the same in every notification.

The fields events and address are dynamic values - they change based on which logs caused a positive detection from the detection rule. You can write dynamic fields using TeskaLabs SP-Lang.

Refer to our directions for creating email templates to write templates that work correctly as notifications.