Adding a new message

Administrator Help | TRITON AP-DATA | Version 8.3.x

Select Main > Policy Management > Resources.

From the Remediation section, select the Notifications option.

Click New on the toolbar.

Enter a name and description for this notification template, such as "Breach notification".

On the General tab, complete the fields as follows:


Field	Description
Sender name	Enter the name of the person from whom notifications should be sent. This is the name that will appear in the email From field. Maximum length: 1024 characters.
Sender email address	Enter the email address of the person from whom notifications should be sent. Maximum length: 1024 characters.

The outgoing mail server that's been configured appears on screen. If you want to change the server used, click Edit (the pencil icon).
Note that if you change the mail server properties, it changes all occurrences of this server (such as alerts).

Complete the remaining fields as follows:


Field	Description
Subject	Type the subject of the notification. This appears in the email Subject: line. Click the right arrow to choose variables to include in the subject, such as "This is to notify you that your message was %Action% because it breached corporate policy." Maximum length: 4000 characters.
Recipients	Define the recipient(s) for the notification. Click Edit to select to select business units or directory entries. Select Additional email addresses then click the right arrow to select a dynamic recipient that varies according to the incident. For example, you can choose to send the notification to the policy owners, administrators, source, or source's manager. Select the variable that applies, such as %Policy Owners%. Separate multiple addresses with commas. For mobile incidents, do not send notifications to senders or senders' managers. The incident was a result of someone synchronizing email to a mobile device; the message may have been permitted otherwise. Notifications can be sent only to people in your domain. If a recipient is out of your organization, the notification is not sent, no matter what is configured in a rule or action plan.

On the Notification Body tab, select a notification type and display format from the drop-down lists.

Field

Description

Type

Select the type of notification to send:

Standard - Select Standard to include all of the elements shown in the Body Content box. You can enable or disable these elements if you use the standard notification type.

Custom - Select this option if you want to send a custom notification. Edit the default text as needed. The drop-down menu provides variables.

Display as

Select a display format from the drop-down list: HTML or plain text.

Logo

Displays the Forcepoint logo, date, and time.

Action

Displays the action taken when the breach was discovered.

Message to user

Displays a message in the message body. You can use the default text, or edit it to your liking. The drop-down menu provides variables.

Incident details

Displays incident details in the notification message.

Violation triggers

Attaches a list of rules violated by the breach.

Include links so that recipients can perform operations on the incident

Select this option if you want to include links in the notification so that administrators can perform workflow operations on the incident directly from it—operations such as assign, ignore, and escalate. (See sample links below this table.)

Administrators can perform only the operations they have permission to perform from their role assignment.

To enable the Release Incident operation, select the next option.

Plain text notifications do not show links.

To support this feature, you must create an email account for the TRITON AP-DATA system in Exchange. To avoid reconfiguration, make sure the credentials assigned to this mailbox do not expire. Once done, navigate to Settings > General > Mail Servers and configure the incoming mail server. Use this mailbox for the system email address.

Allow recipients to release quarantined email from this notification

Select this option if you want to allow message recipients to release blocked messages by replying to their notification message or by clicking the Release All link within the message.

See the knowledgebase article, "Releasing blocked email in TRITON AP-DATA" for instructions on setting up the release by reply capability. You must configure options in both TRITON AP-DATA and Microsoft Exchange to enable it.

Attach policy-breach content

Attaches policy breach contents to the email message.


	Important To include links in notifications or to allow recipients to release messages, you must configure the incoming mail server to use to receive these requests. To do so, click Mail Server Settings on the toolbar. See Mail servers for more information.

Click OK to save your changes.

Below is an example of what users see at the bottom of their notification message. Here they can perform workflow actions on the incident and release the quarantined content.

Each link opens a window where you compose a message to the system's notification server. This is how the workflow operation is communicated to the management server.

For example, if you click the link to change the status of an incident to High, a window like this appears:

The message is drafted for you, but you can add comments to display on the History tab of the incidents report. Do not delete the Comments section, even if you are adding no comments. If they appear, do not modify the To: field or the encryption codes at the bottom of the message. Without the encryption codes, workflow is not modified.

Click Send to notify the system of your request.

Successful changes are shown on the incident's History tab.This includes the name of the administrator who performed the action, any comments that were added, and the action taken.

If there is an error processing the workflow request, you receive an error message or the error is saved in the syslog. Syslog errors are logged if the system experiences an internal error.