If you have multiple recipients for correlation event alarms, you have to create from CC's action manager an action for each recipient or add multiple addresses to the action. Then when you want to verify later which correlation event sends email to which addresses, you have to look them up one by one in the action manager. This is really fustrating as the fields are in most cases identical and the only thing that in our case has to be different is To -field text that contains the recipients addresses. Would it be possible to create some sort of list of email addresses that you just click and add to the correlation event? So when adding action to the correlation event, you would choose a generic email action and then add the recipients from for example a check box list? You could also use the user list that is in Sentinel's Users and Roles or create a custom list for those who don't have the access to the system. With that you would have better visibility on the correlation event big picture at once from the GUI and you don't have to go to the CC for finding out the recipient's.
by: Jari V. | over a year ago | Other
Comments
Jari, thanks for submitting this idea. We will look it over and let you know what our thoughts are. Or we may ask for additional information.
Also it would be nice if you could include the eventname or correlation rule name in the email subject. Now it is a fixed value defined in the action so in many cases we use the same action for multiple different correlation rules and you can't tell what the email is about just by looking at the subject.