Creating a notification

You can create notifications so that users receive an alert when a specified event occurs.

To create a new notification, click New Notification on the Notifications tab. To edit a notification, click the notification name. You can enter or edit the following fields.

  1. Name your notification. Enter a name that is meaningful and descriptive to users when they are deciding whether to enable this notification.
  2. If editing a notification, you can choose to enable or disable the notification by clicking the Status toggle.
  3. Select the type of notification. Choices include Incident, Task, Note, API Key, Artifact, Attachment, and Milestone.
  4. Select the type of users (as they relate to the type of notification) to receive the notification. If you select Added Members or Added Owners, those members or owners who are being added to the object also receive the notification. If you select Removed Member or Removed Owners, those members or owners who are being removed from the object also receive the notification.

    For API keys, users who have the API Keys permission automatically receive the notification.

  5. You can also choose to notify other users.
    • Notify users. Click in the field to select one or more users within your SOAR organization.
      Note: A username in red means that the user is deactivated and cannot receive notifications.
    • Notify others. Enter email addresses of people or groups. Use a comma, space, or newline to separate multiple email addresses. You must enter the body of the email in Step 6 or this field is ignored.
  6. Choose a condition that causes the system to send the notification. Select only one of the following two options.
    • Send a notification when an object of the type that you selected in Step 2 is created or removed. If you selected Incident in Step 2, you cannot select when the object is removed.
    • Click Add Condition. Select a field, the operation, and the value that causes the condition to be true. For example, you can send notifications whenever there is an incident with compromised data by setting the condition to Data Compromised (field) is equal to (operation) Yes (value). You can add multiple conditions, where ALL conditions must be true to generate the notification.

      For API Key, you can choose to send a notification when the API Key is locked (too many failed login attempts) or when the API key expires.

      The following table describes some of the available operators.
      Operator Description
      is created Condition is True when the object is created.
      is added [a] Condition is True when the value [a] is added.
      is equal to [a, b, c] Condition is True when the values [a, b, c] are the only ones present. It must be an exact match.
      contains [a, b, c] Condition is True when at least the values [a, b, c] are present. There can be more, but no less.
      has one of [a, b, c] Condition is True when at least one of the values [a, b, c] is present.
      has a value Condition is True when the object has a value.
  7. If you are sending email notifications, configure the following fields.
    • Check the box to send an email to the users selected in steps 3 and 4 by default. Otherwise, users do not receive an email unless they choose to be notified by checking the email icon on their My Settings page.
    • Enter a subject line for the email notification. The field must be entered if you check the Users should receive an email by default option. You can use substitution variables as described in Using substitution values.
      Important: Using a substitution value in an email notification subject field can significantly increase the volume of emails if the substitution value results in multiple different email subjects. A separate email notification is sent for each email subject. So, for example, you might have an email notification where a single email is sent when no substitution value is used. By adding a substitution value to this notification, and if the substitution value results in 200 different email subjects, 200 email notifications are sent.
    • Enter the message body. You can use substitution variables as described in Using substitution values.

    The notification email provides a link to the incident only if the user's email address has permission to view that incident.

  8. If you are sending system notifications, configure the following fields.
    • Check the box to send the notification users who are selected in steps 3 and 4 by default. Otherwise, users do not receive a notification unless they choose to be notified by checking the notification icon on their My Settings page.
    • Enter the notification body. You can use substitution variables as described in Using substitution values.