Email Alert Configuration
Configure email notifications for security events with customizable templates, delivery schedules, and recipient management.
Universal Access
Email remains one of the most reliable notification channelsβeveryone has email, no additional tools required.
Why Use Email Alerts?β
| Benefit | Description |
|---|---|
| Universal Access | No additional tools or apps required |
| Flexible Scheduling | Immediate alerts or scheduled digests |
| Rich Formatting | HTML templates with tables and colors |
Email Delivery Modesβ
- β‘ Immediate
- π Digest
- π Weekly Summary
Immediate Alertsβ
Emails sent within seconds of event detection.
Best For:
- Malware detection and active threats
- Authentication failures and account lockouts
- Privilege escalation attempts
- Critical agent health failures
Alert Fatigue
Use sparingly to avoid email overload. Reserve for critical events.
Hourly/Daily Digestβ
Batch multiple events into periodic summary emails.
Digest Frequencies:
| Frequency | Delivery Time |
|---|---|
| Hourly | Every hour on the hour |
| Every 4 hours | 00:00, 04:00, 08:00, etc. |
| Daily 9 AM | 9:00 AM local time |
| Daily 5 PM | 5:00 PM local time |
Weekly Summaryβ
High-level security posture report sent weekly.
Includes:
- Total events by severity
- Top threat types detected
- Security score trend
- Key recommendations
Best For: Leadership and compliance teams.
Configuring Email Alertsβ
- 1οΈβ£ Navigate
- 2οΈβ£ SMTP Config
- 3οΈβ£ Create Rule
- 4οΈβ£ Template
- 5οΈβ£ Test
Step 1: Navigate to Email Settingsβ
Go to Configuration β Notifications β Email Alerts.
You'll see:
- Existing email alert rules
- SMTP configuration status
- Delivery statistics
Step 2: Configure SMTP (If Required)β
CastellanAI includes default email delivery. For custom SMTP:
| Setting | Example |
|---|---|
| SMTP Server | smtp.example.com |
| Port | 587 (TLS) or 465 (SSL) |
| Username | alerts@example.com |
| Password | Encrypted password or app token |
| From Address | CastellanAI <alerts@example.com> |
Step 3: Create Email Alert Ruleβ
Click + New Email Alert and configure:
| Option | Description |
|---|---|
| Event Filters | Event type, severity, host, user |
| Delivery Mode | Immediate, hourly, daily, weekly |
| Recipients | Emails or distribution lists |
Step 4: Customize Email Templateβ
8 Default Templates:
- Critical Threat Alert
- Authentication Failure
- Malware Detection
- Correlation Alert
- Agent Health Issue
- Daily Security Summary
- Weekly Executive Report
- Custom Event
Step 5: Test and Activateβ
Preview First
Test emails include sample event data to preview appearance.
- Click Send Test Email
- Verify delivery and formatting
- Enable the rule
Dynamic Template Tagsβ
Use dynamic tags to include real-time event data:
| Tag | Description |
|---|---|
{{EventType}} | Event category |
{{Severity}} | Severity level |
{{Timestamp}} | Event time |
{{Host}} | Affected hostname |
{{User}} | Associated user |
{{Message}} | Event description |
{{RiskScore}} | Risk score value |
{{EventId}} | Unique identifier |
{{MitreTactics}} | ATT&CK tactics |
{{SourceIP}} | Source IP address |
Template Customizationβ
- π¨ Branding
- π¦ Content Blocks
- π» HTML Editor
Header & Brandingβ
| Element | Customization |
|---|---|
| Company Logo | Max 200x60px |
| Primary Color | Hex code |
| Footer Text | Disclaimer, contact info |
| Links | Support, unsubscribe |
Content Blocksβ
Choose which blocks to include:
| Block | Description |
|---|---|
| Event Summary | Table with key details |
| Affected Assets | List of impacted systems |
| Risk Score | Visual indicator |
| Recommendations | AI-suggested actions |
| Similar Events | Related activity |
| Action Buttons | Quick action links |
Advanced HTML Editorβ
For complete control, edit raw HTML:
<html>
<head>
<style>
.alert { color: #ff4444; }
.high { background: #ffeeee; }
</style>
</head>
<body>
<h1>{{EventType}} Alert</h1>
<p>Severity: <span class="alert">{{Severity}}</span></p>
<table>
<tr><td>Host:</td><td>{{Host}}</td></tr>
<tr><td>Time:</td><td>{{Timestamp}}</td></tr>
</table>
</body>
</html>
Managing Recipientsβ
- π§ Recipient Types
- π Routing Rules
Recipient Typesβ
| Type | Best For | Example |
|---|---|---|
| Individual | Single user alerts | security-admin@example.com |
| Distribution List | Team-wide | soc-team@example.com |
| Role-Based | Dynamic membership | "Security Admin" role |
| On-Call Schedule | 24/7 coverage | PagerDuty/Opsgenie integration |
Dynamic Updates
Use role-based recipients for automatic updates when team membership changes.
Severity-Based Routingβ
| Severity | Recipients |
|---|---|
| Critical | On-call + SOC Team |
| High | SOC Team |
| Medium | Security Admin (digest) |
| Low | Weekly summary only |
Troubleshootingβ
- π« Going to Spam
- π SMTP Errors
- β±οΈ Delivery Delays
- π§ Template Issues
Emails Going to Spamβ
| Solution | Implementation |
|---|---|
| Configure SPF | Add DNS record |
| Set up DKIM | Configure signature |
| Add DMARC | Enable policy |
| Safe sender | Add noreply@castellanai.com |
SMTP Authentication Errorsβ
| Issue | Solution |
|---|---|
| Wrong credentials | Verify username/password |
| App password needed | Use app-specific password |
| TLS required | Ensure port 587 with TLS |
Delivery Delaysβ
| Cause | Solution |
|---|---|
| Rate limiting | Check server logs |
| Queue backup | Increase timeout |
| Network issues | Verify connectivity |
Template Rendering Issuesβ
| Issue | Solution |
|---|---|
| Layout broken | Use inline CSS |
| Images missing | Use absolute URLs |
| Client variations | Test multiple clients |
Best Practicesβ
| Practice | Description |
|---|---|
| Severity-Based Routing | Critical β immediate, Medium β digest, Low β summary |
| Configure SPF/DKIM | Prevent spam classification |
| Include Action Links | Direct links to dashboard |
| Test Regularly | Monthly delivery tests |
π Email Configuration Checklist
- Configure SMTP settings (if custom)
- Set up SPF, DKIM, DMARC records
- Create alert rules by severity
- Customize email templates
- Add dynamic tags
- Configure recipients
- Test delivery to all recipient types
- Document escalation procedures
What's Next?β
| Guide | Description |
|---|---|
| Notifications Overview | All notification channels |
| Microsoft Teams Integration | Real-time Teams alerts |
| Slack Integration | Real-time Slack alerts |