Email Alert Configuration
Configure email notifications for security events with customizable templates, delivery schedules, and recipient management.
Why Use Email Alerts?
Email remains one of the most reliable and widely-monitored notification channels for security teams:
| Benefit | Description |
|---|---|
| Universal Access | Everyone has email—no additional tools or apps required to receive alerts |
| Flexible Scheduling | Send immediate alerts or scheduled digest summaries based on severity |
| Rich Formatting | Use HTML templates with tables, colors, and embedded images for clarity |
Email Delivery Modes
CastellanAI supports three email delivery modes to balance responsiveness with alert fatigue:
Immediate Alerts
Emails are sent within seconds of event detection. Best for critical threats requiring immediate attention.
Typical use cases:
- Malware detection and active threats
- Authentication failures and account lockouts
- Privilege escalation attempts
- Critical agent health failures
Hourly/Daily Digest
Batch multiple events into periodic summary emails. Reduces alert fatigue while maintaining visibility.
Digest frequencies:
- Hourly (every hour)
- Every 4 hours
- Daily at 9:00 AM
- Daily at 5:00 PM
Weekly Summary
High-level security posture report sent weekly. Perfect for leadership and compliance teams.
Includes:
- Total events by severity
- Top threat types detected
- Security score trend
- Key recommendations
Configuring Email Alerts
Step 1: Navigate to Email Settings
Go to Configuration → Notifications → Email Alerts. You'll see existing email alert rules and SMTP configuration status.
Step 2: Configure SMTP Settings (If Required)
CastellanAI includes default email delivery. For custom SMTP, configure your mail server details.
| Setting | Example |
|---|---|
| SMTP Server | smtp.example.com |
| Port | 587 (TLS) or 465 (SSL) |
| Username | alerts@example.com |
| Password | Encrypted password or app token |
| From Address | CastellanAI Alerts <alerts@example.com> |
Step 3: Create Email Alert Rule
Click + New Email Alert and configure the rule conditions.
Rule configuration options:
- Event Filters - Specify event type, severity, host, or user to trigger alerts
- Delivery Mode - Choose immediate, hourly digest, daily digest, or weekly summary
- Recipients - Add individual email addresses or distribution lists
Step 4: Customize Email Template
Select a pre-built template or create custom HTML email layouts.
8 default templates available:
- Critical Threat Alert
- Authentication Failure
- Malware Detection
- Correlation Alert
- Agent Health Issue
- Daily Security Summary
- Weekly Executive Report
- Custom Event
Step 5: Add Dynamic Tags
Use dynamic tags to include real-time event data in email templates.
Supported tags (15+ available):
{{EventType}}- Event category{{Severity}}- Severity level{{Timestamp}}- Event time{{Host}}- Affected hostname{{User}}- Associated user{{Message}}- Event description{{RiskScore}}- Risk score value{{EventId}}- Unique identifier
Step 6: Test and Activate
Send a test email to verify delivery and formatting before enabling the rule.
Test emails include sample event data to preview the final appearance.
Email Template Customization
Customize email templates to match your organization's branding and information needs:
Header & Branding
Add your company logo, custom colors, and header text to all email alerts.
Customizable elements:
- Company logo (max 200x60px)
- Primary brand color (hex code)
- Footer text and disclaimer
- Contact information and links
Content Blocks
Choose which information blocks to include in each alert type.
Available blocks:
- Event summary table
- Affected assets list
- Risk score indicator
- Recommended actions
- Similar events section
- Quick action buttons
Advanced HTML Editor
For complete control, edit the raw HTML template with full CSS support.
<html>
<head>
<style>
.alert { color: #ff4444; }
</style>
</head>
<body>
<h1>{{EventType}} Alert</h1>
<p>Severity: <span class="alert">{{Severity}}</span></p>
<table>
<tr><td>Host:</td><td>{{Host}}</td></tr>
</table>
</body>
</html>
Managing Recipients
Control who receives email alerts based on event severity and type:
| Recipient Type | Best For | Example |
|---|---|---|
| Individual Email | Single user alerts | security-admin@example.com |
| Distribution List | Team-wide notifications | soc-team@example.com |
| Role-Based | Dynamic team membership | All users with "Security Admin" role |
| On-Call Schedule | 24/7 coverage rotation | Integrates with PagerDuty/Opsgenie |
Pro Tip: Use role-based recipients for automatic updates when team membership changes.
Best Practices
- Use Severity-Based Routing - Send critical alerts immediately to on-call staff, medium severity to hourly digests, and low severity to daily summaries.
- Configure SPF and DKIM - Set up SPF and DKIM records for your domain to prevent alerts from being marked as spam.
- Include Action Links - Add direct links to the CastellanAI dashboard for quick investigation and response.
- Test Regularly - Send test emails monthly to verify delivery and ensure templates render correctly in all email clients.
Troubleshooting Email Delivery
If email alerts are not being delivered, check these common issues:
Emails Going to Spam
Verify SPF, DKIM, and DMARC records are configured. Add CastellanAI sender to your organization's safe senders list: noreply@castellanai.com
SMTP Authentication Errors
Verify username/password are correct. For Gmail/Office365, use app-specific passwords instead of account passwords.
Delivery Delays
Check email server logs for rate limiting or throttling. Consider increasing SMTP timeout settings.
Template Rendering Issues
Test emails in multiple clients (Outlook, Gmail, Apple Mail). Use inline CSS instead of external stylesheets.
What's Next?
- Notifications Overview - Learn about all available notification channels
- Microsoft Teams Integration - Set up Teams integration for real-time collaboration