Changes to Security Monitor email notifications

Document created by Laurence Leccia Employee on Jun 25, 2015Last modified by Ori Kanfer on Oct 1, 2015
Version 6Show Document
  • View in full screen mode

On July 30, 2015 we are improving the Security Monitor email notifications.  The new format of Security Monitor email notification has significant changes in:

  • Subject line
  • Dimension information
  • Priority field
  • Metrics field

 

Customers who have automated the processing of these notification emails must update their parsing automation in order to properly interpret the new email format after this change, which goes in effect on July 30, 2015.

 

The full changes are:

 

Earlier Format for Security Monitor Notification Emails

New Format for Security Monitor Notification Emails

Notes

Subject line

Subject line

 

New Akamai Alert: "Requests Denied greater than 60 per min" - RP:Security_Monitor

New Akamai Alert: Security_Monitor (Notification: Requests Denied greater than 60 per min)

For the email subject line, the format & positioning of substrings has changed. The subject line will contain what is configured by the user as the email subject. If the user does not configure anything, then it provides the Security Monitor configuration name as seen on Luna followed by the "Notification name".

Body

Body

All the fields in Body are fixed in ADMS and currently not changeable

Service Name: Security Monitor

Service Name: Security Monitor

This is fixed and currently not changeable

Start Time: Fri, Apr 17, 17:58 GMT 2015

Start Time: Fri, Apr 17, 17:58 GMT 2015

When the alert was sent by Akamai

 

 

 

OBSERVATION:

OBSERVATION:

Data part is configurable globally (changes for all customers)

name: Requests Denied greater than 60 per min

Notification: Requests Denied greater than 60 per min(id:2220)

What was titled "name" earlier is replaced by "Notification" & provides the name of the notification as configured in Security Monitor by the user; the name is followed by Security Monitor's internal id in parentheses for reference by the Security Monitor team

reportpack: [name_of_reportpack]

 

"reportpack" fields has been deleted; the same value is available instead in the "alert_name_key" field

id_key: 2220

 

"id_key" field has been deleted; the same value is available instead in the "Notification" field in parentheses

priority: P2

Priority: Medium

"Priority" field which was earlier P1, P2 or P3 has been changed to the string High, Medium or Low similar to what is seen on Luna

time: Fri Apr 17 23:47:00 2015 GMT

Trigger time: Fri Apr 17 17:55:33 2015 GMT

Name of the field "time" has been changed to "Trigger Time", always GMT

dimensions_key: client_ip:157.55.39.158;tag:IPBLOCK;hostname:www.akamai.com;

Dimensions: (Client IP,Tag,Host Name) = (157.55.39.217,IPBLOCK,m.akamai.com)

Name of the field "dimensions_key" has been changed to "Dimensions". The content of this field has been changed from "dimension_name:dimension_value" to "(dimesnion_names) = (dimension_values)"

For aggregate notifications several (dimension_values) groups will follow, e.g.:

(asn, clientip, country)=(123,1.1.1.1,IN),(456,2.2.2.2,IN), (123,3.3.3.3,US)

metrics: Denied:1460.00

Metrics: (Denied(500.00)>=Threshold(60))

The "metrics" field name changed to "Metrics". The content instead of having "metric_name:value", contains the metric name, it's value, the operator and the threshold value.

For aggregate notifications this would look like:

(string for combination1),(string for combination2),(string for combination3)

alert_name_key:  "Requests Denied greater than 60 per min" - RP:Security_Monitor

For customers who have not configured email subject in Portal:

alert_name_key:: Security_Monitor_Customer_Name (Notification: Requests Denied greater than 60 per min)

 

 

For customers who have configured email subject in Portal:

alert_name_key: Security_Monitor_Customer_Name(Subject string as configured)

This field is exactly the same as the subject, except that it does not have "New Akamai Alert:” in the beginning.

Cause:

Cause:

No change

Action:

Action:

No change

 

Sample Email:

For the html format email see attachment (please extract the txt file and change extension from txt to mht)

2015-10-01_16-38-30.jpg

Outcomes