Kaspersky Unified Monitoring and Analysis Platform
3.4
English
User guide  >  KUMA resources  >  Notification templates  >  Notification template syntax

Notification template syntax

The notification templates use the Go templates syntax. You can use this syntax to dynamically fill notifications with content: load data from the fields of the corresponding objects, insert links, or convert dates to a different format. You can use the template syntax in the subject as well as the body of the message. This article briefly describes the syntax and lists the fields that can be used for certain types of events, and additional functions that can be applied to these fields. You can read more about the syntax in the official Go language documentation.

In the template, you can reference the object fields depending on the selected type of event. The fields of the corresponding objects can contain simple values such as a string or a number:

{{ .CorrelationRuleName }}

The message will display the alert name, which is the contents of the CorrelationRuleName field of the alert data model.

Some fields may contain data arrays, for example, alert fields with related events, assets, and accounts. Such nested objects can be queried by using the range function, which sequentially queries the fields of the first 50 nested objects. When using the range function to query a field that does not contain a data array, an error is returned. Example:

{{ range .Assets }}

Device: {{ .DisplayName }}, creation date: {{ .CreatedAt }}

{{ end }}

The message will display the values of the DeviceHostName and CreatedAt fields from 50 assets related to the alert:

Device: <DisplayName field value from asset 1>, creation date: <CreatedAt field value from asset 1>

Device: <DisplayName field value from asset 2>, creation date: <CreatedAt field value from asset 2>

...

// 50 strings total

You can use the limit function to limit the number of objects returned by the range function:

{{ range (limit .Assets 5) }}

<strong>Device</strong>: {{ .DisplayName }},

<strong>Creation date</strong>: {{ .CreatedAt }}

{{ end }}

The message will display the values of the DisplayName and CreatedAt fields from 5 assets related to the alert, with the words "Devices" and "Creation date" marked with the <strong> HTML tag:

<strong>Device</strong>: <DeviceHostName field value from asset 1>,

<strong>Creation date</strong>: <value of the CreatedAt field from asset 1>

<strong>Device</strong>: <DeviceHostName field value from asset N>,

<strong>Creation date</strong>: <CreatedAt field value from asset N>

...

// 10 strings total

Nested objects can have their own nested objects. They can be queried by using nested range functions:

{{ range (limit .Events 5) }}

    {{ range (limit .Event.BaseEvents 10) }}

    Service ID: {{ .ServiceID }}

    {{ end }}

{{ end }}

The message will show ten service IDs (ServiceID field) from the base events related to five correlation events of the alert (50 lines in total). Please note that events are queried through the nested EventWrapper structure, which is located in the Events field in the alert. Events are available in the Event field of this structure, which is reflected in the example above. Therefore, if field A contains nested structure [B] and structure [B] contains field C, which is a string or a number, to query field C, you must specify the path {{ A.C }}.

Some object fields contain nested dictionaries in key-value format (for example, the Extra event field). They can be queried by using the range function with the variables passed to it: range $placeholder1, $placeholder2 := .FieldName. The values of variables can then be called by specifying their names. Example:

{{ range (limit .Events 3) }}

    {{ range (limit .Event.BaseEvents 5) }}

    List of fields in the Extra event field: {{ range $name, $value := .Extra }} {{ $name }} - {{ $value }} <br> {{ end }}

    {{ end }}

{{ end }}

The message will use an HTML tag<br> to show key-value pairs from the Extra fields of the base events belonging to the correlation events. Data is called from five base events out of each of the three correlation events.

You can use HTML tags in notification templates to create more complex structures. Example table for correlation event fields:

<style type="text/css">

  TD, TH {

    padding: 3px;

    border: 1px solid black;

  }

</style>

<table>

  <thead>

    <tr>

        <th>Service name</th>

        <th>Name of the correlation rule</th>

        <th>Device version</th>

    </tr>

  </thead>

  <tbody>

    {{ range .Events }}

    <tr>

        <td>{{ .Event.ServiceName }}</td>

        <td>{{ .Event.CorrelationRuleName }}</td>

        <td>{{ .Event.DeviceVersion }}</td>

    </tr>

    {{ end }}

  </tbody>

</table>

Use the link_alert function to insert an HTML alert link into the notification email:

{{link_alert}}

A link to the alert window will be displayed in the message.

Templates also support more complex constructs such as local variable declaration, comparison operators, and control structures. Below is an example of how you can extract the data on max asset category from the alert data and place it in the notifications:

{{ $criticalCategoryName := "" }}

{{ $maxCategoryWeight := 0 }}

{{ range .Assets }}

{{ range .CategoryModels }}

{{ if gt .Weight $maxCategoryWeight }}

{{ $maxCategoryWeight = .Weight }}

{{ $criticalCategoryName = .Name }}

{{ end }}

{{ end }}

{{ end }}

{{ if gt $maxCategoryWeight 1 }}

Max asset category: {{ $criticalCategoryName }}

{{ end }}

Object fields supported in templates

The following table lists the fields that can be accessed from templates, depending on the type of event.

Supported object fields

Type

Available fields

Alert created

 

All fields of the alert data model are supported, including nested arrays and structs.

Report generated

{{ .Tenants }} — Tenants for which the report is created.

{{.Name}} — Report name.

{{.StartTime}} — The beginning of the period for which the report is created, in the "2006-01-02 15:04:05 MSK" format.

{{.FinishTime}} — The end of the period for which the report is created, in the "2006-01-02 15:04:05 MSK" format.

{{.PreviewLink}} — Link for viewing the report.

{{.DownloadLink}} — Link for downloading the report.

Example of adding links to a report notification template:

You can <a href="{{ .PreviewLink }}" target="_blank">view</a> or <a href="{{ .DownloadLink }}" target="_blank">download</a> the report.

Task finished

{{.Tenants}} — The tenant in which the task is started.

{{.TaskKind}} — The name of the task.

{{.TaskCreator}} — The name (login) of the user that created the task.

{{.StartTime}} — The start time of the task in the "2006-01-02 15:04:05 MSK" format.

{{.FinishTime}} — The end time of the task in the "2006-01-02 15:04:05 MSK" format.

{{.TaskStatus}} — Task execution status.

 

Sources monitoring alert

{{.SourceTenantName}} — Tenant of the event source.

{{.SourceDisplayName}} — Name of the source.

{{.Value}} — The value that exceeded the bounds of the monitoring policy at the time of the alert creation.

{{.WebLink}} — Link to the KUMA web interface.

{{.AlertActiveAt}} — Time at which the alert was active.

{{.PolicyName}} — Name of the monitoring policy.

{{.PolicyTenantName}} — Tenant of the monitoring policy.

{{.PolicyLowerEventBound}} — Lower threshold.

{{.PolicyUpperEventBound}} — Upper threshold.

{{.PolicyKind}} — Type of the policy.

{{.PolicyInterval}} — Interval of the counting period.

{{.DeviceProduct}} — Source device.

{{.DeviceHostName}} — Source host name.

{{.DeviceAddress }} — MAC address of the source.

{{.DeviceProcessName}} — Name of the source process.

 

KASAP group changed

{{ .UserEmail }} — Display name of the user from Active Directory.

{{.PreviousGroup}} — KASAP learning group to which the user belonged at the time when the user's card was opened form an incident or alert.

{{.CurrentGroup}} — KASAP training group to which the user was moved from the user's card.

{{.WebLink}} — Link to the KUMA web interface.

Functions in notification templates

Functions available in templates are listed in the table below.

Functions in templates

Function

Description

date

Takes the time in milliseconds (unix time) as the first parameter; the second parameter can be used to pass the time in RFC standard format. The time zone cannot be changed.

Example call: {{ date .FirstSeen "02 Jan 06 15:04" }}

Call result: 18 Nov 2022 13:46

Examples of date formats supported by the function:

  • "02 Jan 06 15:04 MST"
  • "02 Jan 06 15:04 -0700"
  • "Monday, 02-Jan-06 15:04:05 MST"
  • "Mon, 02 Jan 2006 15:04:05 MST"
  • "Mon, 02 Jan 2006 15:04:05 -0700"
  • "2006-01-02T15:04:05Z07:00"

range

Lets you iterate over arrays or sets of key-value pairs, sequentially referring to the fields of the first 50 items.

limit

This function is called inside the range function to limit the list of data. It processes lists that do not have keys, takes any list of data as the first parameter and truncates it based on the second value. For example, the .Events, .Assets, .Accounts, and .Actions alert fields can be passed to the function.

Example call:

{{ range (limit .Assets 5) }}

<strong>Device</strong>: {{ .DisplayName }},

<strong>Creation date</strong>: {{ .CreatedAt }}

{{ end }}

link_alert

Generates a link to the alert with the URL specified in the SMTP server connection settings as the KUMA Core server alias or with the real URL of the KUMA Core service if no alias is defined.

Example call:

You can find more information about the alert in the KUMA web interface: {{link_alert}}.

link_task

Generates a link to the task in KUMA.

Example call:

Task "{{ .TaskKind }}" created {{ .TaskCreator }} at {{ .StartTime }} and completed at {{ .FinishTime }} with the "{{ .TaskStatus }}" status.

You can find more information about tasks in the KUMA web interface: {{ link_task }}.

link

Takes the form of a link that can be followed.

Example call:

{{ link "https://support.kaspersky.com/KUMA/2.1/en-US/233508.htm" }}

Article ID: 295255, Last review: May 30, 2025
Page top