Customize the email and ticket notifications generated by the Active Response playbook.
You can customize the following notifications and information sent by the Active Response playbook:
The subject and body text of email or ticket notifications sent by the playbook to potential service owners.
The subject and body text of email or ticket notifications sent to the service owner after an alert was resolved by automated remediation.
The Jira project key that will be associated with any Jira tickets created by the playbook.
In addition to specifying the text to include in notifications, you can also include system variables. Variables enable you to include the alert-specific information that your organization uses in their workflow.
Customizing the playbook notifications is optional. If you do not customize the notifications, the playbook will use the default text and formats described in Active Response Templates.
The following steps explain how to customize the Active Response playbook notifications. All of these fields use plain text. See Supported Variables in Active Response Notifications for the list of variables that can be used in notifications.
Navigate to → .
In the Email/Ticketing Notification Subject field, enter the text to be used in the subject field of emails and ticketing notifications sent to service owners.
In the Email/Ticketing Notification Body field, enter the text to be used in the body of emails or ticket notifications sent by the playbook to potential service owners.
In the Automated Remediation Subject field, enter the text to be used in the subject field of email and ticketing notifications sent to service owners after remediation.
In the Automated Remediation Body field, enter the text to be used in the body of email or ticket notifications sent by the playbook to service owners after remediation.
In the Jira Project Key field, enter the Jira project key to be used for any tickets created or updated by the playbook.
Supported Variables in Active Response Notifications
Use variables in custom Active Response email and ticketing notifications to generate notifications with alert-specific information.
The following system variables can be used in the body of Active Response email and ticketing notifications. Copy the value from the Variable Name field (including the $) and paste it into your custom notification.
Variable Name | Description | Example |
|---|---|---|
${alert.asmattacksurfacerulecategory} | Category associated with the Attack Surface Rule | Remote Access Services |
${alert.name} | Name of the ASM alert | RDP Server at x.x.x.x |
${alert.details} | Details related to the ASM alert | Remote Desktop Protocol (RDP) servers provide remote access to a computer over a network connection. Externally accessible RDP servers pose a significant security risk as they are frequent targets for attackers and can be vulnerable to a variety of documented exploits. |
${alert.asmremediation.action} | Summary of the remediation action that was taken | Closed service port from internet. |
${alert.asmremediation.outcome} | Summary of the outcome of the remediation outcome | Success |
${alert.asmserviceowner.name} | Name of service owner. Either name or email will be present. | John Smith |
${alert.asmserviceowner.email} | Email of the service owner. | jsmith@xpanse.com |
${alert.asmserviceowner.source} | Where the service owner was found based on data from integrations | AWS |
${Remediation Guidance} | Guidance for remediation of the ASM alert | Recommendations to reduce the likelihood of malicious RDP attempts are as follows:
|