Notifications Group

Choose whether the notification is sent when a Classification is applied or when a user, role or endpoint owner is assigned to a search result.

• Classification Change: Select this option to have the email notification sent when a result has matched a rule and a classification has been applied to the result. If a subsequent search is performed on the endpoint and the same results are imported again, then another notification is not sent out when the workflow rules are run unless the classification for the results has changed.
• Assignment: Select this option to have the email notification sent when a result has matched a rule and is assigned to a user, role or endpoint. If a subsequent search is performed on the endpoint and the same results are imported again, then another notification is not sent out when the workflow rules are run unless the assignment for the results has changed.
• Results Import: Select this option to have the email notification sent when the results are imported into the Console database.

This option displays only when Send On is set to 'Assignment'. When this option is enabled, the next time that the workflow rules service job executes and it is the following day or later, users that received the original assignment email notification also receives the repeat notifications (except as noted below) as long as the assigned locations remain unresolved. Repeat notifications are sent once per day when the Run Workflow Rules service job runs and it is the day after the previous notification was sent. (i.e. The previous notification was sent on 11/05/15 at 10:00 PM EST and the workflow rules service job next runs at 11/06/15 at 12:00 am EST or later). Repeat notifications do not contain the same subject and body as the email notification setup in the workflow rule. You may configure the subject and body of the repeat notification on the Application Settings page of the Admin tab. Repeat notifications are sent to recipients as noted below:

• Email Addresses: No repeat notifications are sent.
• Search User: No repeat notifications are sent.
• File Owner: No repeat notifications are sent.
• Endpoint Owner: Repeat notifications are sent to the Endpoint Owner if the rule resulted in an assignment.
• Assignee: Repeat notifications are sent to Assignees if locations were assigned to them based on this rule.
• Users and Roles: Repeat notifications are sent to Users and Roles if the rule resulted in an assignment to those users or Roles.
  
  The Manage button allows you to view the recipients who are scheduled to receive repeat notifications and to prevent future repeat notifications from going to specific recipients by removing them from the list. Removing a recipient from this list does not prevent new notifications from being sent for newly assigned locations under this same rule and notification. (for example, If an initial notification is sent to assignee A and assignee B, and you then remove assignee B from the Manage Repeat Notifications list; assignee B does not receive reminder notifications for that location under this rule and notification. But if a new location is assigned to assignee B under this rule and assignee B receives a new notification for that location, assignee B is added back to the list to receive reminder notifications for any unresolved locations assigned by this rule with the repeat notification defined.) This button only becomes enabled when the “Send repeat notification until Status is changed” checkbox is enabled and after the initial notification has been sent. To remove a recipient from the list, click the Manage button to open the "Manage Repeat Notifications" dialog and place a mark in the box to the left of the user and click 'OK'.

Allows you to select who is notified when a classification is applied or user is assigned. You may select one or more of the recipient options. If you try to complete the notification without selecting a recipient, a message displays that reads, "There must be at least one recipient specified."

• email Addresses: Select this option to have the notification sent to an email address, or multiple email recipients separated by a comma. The email address can be in a simple form (i.e. email@address.com) or in the form: “Display Name” <email@address.com>. If you select this option but do not enter at least one email address, the following message displays when you click OK: "The Recipients field is required."
• Search User: Select this option to have the notification sent to the email address associated with the user account context under which the search was executed. For User scheduled tasks, this is the user name with which the user logged onto the system. For System scheduled tasks this is SYSTEM for Windows and root for Mac OS. This option only displays when AD user authentication is enabled.
• File Owner: Select this option to have the notification sent to the file system owner for locations that are files. This option only displays when AD user authentication is enabled.
• Endpoint Owner: When Endpoint Owner is selected, then all of the endpoint’s owners and the endpoint email recipient are notified.
• Endpoint Owner Manager: Select this option to have the notification sent to the email address associated with the User Manager Attribute name in the Active Directory Settings in CAT. This is the manager (as defined in the CAT) of the user associated with the endpoint as defined in Active Directory or manually specified in the Endpoint details. This option only displays when AD user authentication is enabled.
• Assignee: When Assignee is selected, the email is sent to the endpoint owner, Console user or Console role to which the results are assigned by the workflow rule.
• Users and Roles: When Users and Roles is selected, you can specify which users and roles to notify by clicking the Add User button or the Add Role button. When selecting by user, it uses the email that is associated to the selected user in the Users section of the Admin tab. When selecting by roles, it adds each user that is assigned to the selected role. If you select this option but do not select a user or role, the following message displays when you click OK: "There must be at least one recipient specified." If a user synced from AD has been disabled, then it displays here in a gray italic font.

Define the Subject and body of the email message using text and/or variables. Variables are replaced with text when the email is generated. The format of a variable is %VariableName%. Variables are case sensitive and no spaces are allowed between the percent characters. If you enter an email variable incorrectly a dialog displays stating that the variable was not recognized. If you enter a variable which is not part of the rule definition, the following message displays: "The 'VariableName' token is not allowed here, because it is not used in the definition filter or the related filter has no value." If a variable results in an empty string (no values) when the email is generated, the variable is replaced in text with <VariableName>.

• Subject: This is the subject line of the email notification. You can enter text or use a variable. If you attempt to create the notification without entering a subject, the following message displays: "The Subject filed is required."
• Body: This is the message body of the email. The body may contain plain text and/or HTML markup. If you attempt to create the notification without entering anything in the body, the following message displays: "The Body field is required."
• Variables: There are two types of variables which can be used. Those which are required to be part of the workflow rule definition in order to be used and those which are independent of the workflow rule definition.
• These variables are required to be part of the workflow rule definition in order to be used in the email notification:

• %AccessDate%: This returns the date and time that the file was last accessed.
• %AnyFindTotalCount%: This expands to “<count> <data type name>(s)”, e.g. “10 Password(s)”, "34 Social Security Number(s)", etc.
• %CreateDate%: This returns the date and time that the file was created.
• %DataType% (pre v9 %IdentityType%): This returns the type of data that was found, for example, "Social Security Number", "Telephone Number."
• %Location%: This returns the full path or other location in which the match was found. This variable displays enough information to be able to get back to the source of the result from the machine on which it was found. For example, the file path is relative to the Agent that ran the search, an email location contains message folder names, time stamps, and subjects, a database location includes table and column information and a website location includes the full URL.
• %LocationType%: This returns the type(s) of location that was found, e.g. "Text Document, XLSX File".
• %ModifyDate%: This returns the date and time that the file was last modified.
• %Quantity%: This returns the number of instances of a match for a single results row in a location. For example, if the social security number "123-45-6789" occurred 10 ten times in a single location, the variable returns '10'.
• %SearchUserName%: This returns the name of the user who performed the search on the endpoint, e.g. "Administrator."
• %SourceEndpointIPRange%: This returns the IP addresses reported to the Console of the endpoint which ran the search.
• %SourceEndpointTags%: This returns the tags of which the endpoint which ran the search is a member of. This is a Console only variable that cannot be processed at the endpoint.
• %TargetEndpointIPRange%: This returns the IP addresses reported to the Console of the endpoint on which the result was found.
• %TargetEndpointTags%: This returns the tags of which the endpoint on which the result was found is a member of. This is a Console only variable that cannot be processed at the endpoint.
• %TaskName%: This returns the name of the task under which the search was run, as entered in the Add New Task dialog in the Scheduled Tasks section of a policy or "Initiate Search" for a task executed via the Search button on the ribbon or "User Initiated" for a search that was executed interactively on the Agent. A scheduled task that has been deleted after it has executed but prior to the workflow rules being run displays as <Task Deleted>.
• %Tasks%: This returns the Scheduled Task Name as entered in the Scheduled Tasks section of a policy.
• %TotalMatches%: This returns a numerical value representing the total number of matches found during the search. e.g. if there were 200 SSN and the 125 CCN found during the search, the value returned would be 325.
• %TotalDataTypes% (pre v9 %TotalIdentityTypes%): This returns a numerical value representing the total number of data types found in the search. e.g. if SSNs and CCNs were found during the search, the value returned would be 2.
• %TotalUniqueMatches%: This returns a numerical value representing the total number of unique matches found in the search.
• %Owner%: This returns the file system owner for locations that are files. For data from Windows Agents, the NTFS owner of the file. For data from Mac Agents, the file system owner of the file.
• These variables are independent of the workflow rule definition:
• %AssignmentsLink%: This returns a link that when clicked, allows the user to log into the Console and see a filtered view of the matching results that have been assigned to the user.
• %ClassificationsLink%: This returns a link that when clicked, allows the user to log into the Console and see a filtered view of the results with the assigned classification.
• %ClassificationName%: This returns the name of the classification to which the rule belongs. e.g. "High."
• %EndpointName%: This returns the display name of the endpoint on which the result was found.
• %RuleDescription%: This returns the description of the workflow rule.
• %RuleName%: This returns the name of the workflow rule.
• %SearchTime%: This returns the time stamp, local to the Agent, of the start of the search during which the result was found.
• %RecipientName%: This returns the display name that is defined for a user. If no display name has been defined, it uses the user's login name. This variable works with Endpoint Owner, Assignee and Users and Roles types of recipients. If used with simple email Addresses, the Console attempts to find users that have that email defined and use their Display Name or login name.
• Send as Plain Text: If entering only text in the message body, then select this option to preserve the formatting of the message body so that it displays in the email just as you entered it. If you have entered any HTML in the message body, do not select this option. The Console combines multiple notifications to the same recipient into one email. The combined email is sent as plain text only if all notifications to be combined have "Send as plain text" selected. If at least one notification does not have "Send as plain text" selected, the combined message is HTML.

This option allows you to include a report as an attachment to a Workflow email notification. This option displays only when Send On: Results Import is selected and you have a qualifying report defined as described below.

• Report Name: A report only displays in this drop-down list if it has been created in the Reports tab and the report contains the following columns: Searches: Endpoint Identifier or Searches: Source Endpoint Identifier and Searches: Search Identifier.