Notifications
Delivery and email
This page is for administrators who make sure notifications actually get delivered. It covers two related areas: the Notification Admin hub — where you watch notification quality, set org-wide rules, and diagnose delivery — and Outbound Email, where you configure the mailboxes ThreatWeaver sends from and inspect every message it tried to send.
What it's for
- Watch delivery quality — see which notification types people find useful and which are noise.
- Set org-wide policy — define schemes of notification types users can't opt out of.
- Prove and fix delivery — inspect the send log, replay stuck messages, and run a diagnostic that simulates the pipeline for one person and one event type.
- Manage sending mailboxes — connect one or more senders, set failover order, and test them.
The screens in it
The Notification Admin hub
The Notification Admin hub gathers the delivery-side tools under a set of tabs.
| Tab | What it's for |
|---|---|
| Health | Per-type quality metrics — how often each notification type is rated useful. |
| Rules | A separate, simpler set of org-wide routing rules — not the same feature as Alert rules, which routes zero-day vulnerability alerts specifically. See Rules tab below. |
| Scheme | Schemes of mandatory notification types users can't turn off. |
| Delivery | Your own delivery history — what was sent to you, and whether it arrived. |
| Diagnose | The delivery diagnostic tool. |
| Config | Basic notification delivery settings, with a link to full email settings. |
Outbound Email
Outbound Email is the dedicated screen for the mailboxes ThreatWeaver uses to send alerts and reports. Mailboxes are tried in priority order, and failover between them is automatic. Below the mailbox list are your registered sign-in apps and the Send Log.
Every control explained
Health tab
A table of notification types with a Total sent, counts of Useful and Not Useful ratings, a Quality percentage, and an Avg/day volume. Types that people rate poorly are called out at the top as low-value, so you can consider adjusting or suppressing them. Refresh reloads the metrics.
Rules tab
A separate, simpler org-wide rule set from Alert rules. These rules aren't scoped to zero-day alerts and use their own set of fields:
| Field | What it does |
|---|---|
| Name | A label for the rule. |
| Enabled | Toggles the rule on or off without deleting it. |
| Trigger mode | Fires on a single matching event, on a count reached within a time window, or on a fixed schedule. |
| Minimum tier | The lowest priority tier the rule applies to (or any tier, if left unset). |
| Mandatory | Forces the rule's routing through even for someone who has personally opted out. |
| Priority | A number used to order evaluation when more than one rule could match. |
New Rule opens the form; existing rules can be edited, deleted, or toggled on/off from the list.
Scheme tab
Schemes define which notification types users cannot opt out of.
| Control | What it does |
|---|---|
| New scheme | Opens the scheme editor. |
| Name | A label for the scheme. |
| Default scheme for new users | Applies this scheme to newly added users. |
| Mandatory types | A checklist of notification types the scheme forces on; the count of selected types is shown. |
| Save / Cancel | Saves or discards the scheme. |
| Edit / Delete (row actions) | Change or remove an existing scheme. A star marks the default. |
Delivery tab
A read-only view of what ThreatWeaver sent to you, in two lists: Email deliveries to me (each with a status — sent, pending, or failed) and In-app alerts. Refresh reloads both. This answers "did my own alerts arrive?" without exposing the organization-wide log.
Diagnose tab
The diagnostic simulates the delivery pipeline for one recipient and one event type, then explains what would happen and why.
| Control | What it does |
|---|---|
| User | The person whose delivery you're checking. This is a plain text field expecting that person's user ID, not a name/email search — look their ID up elsewhere first (for example, the user's own profile or an admin user list). |
| Notification type | The event type you're investigating. This is also free text, and it must match the internal event key exactly — for example finding.new_critical — rather than a name you pick from a list. |
| Run diagnostic | Runs the simulation. |
The result shows a plain-language conclusion, the pipeline steps it walked through (and where an alert would be stopped), and any recent deliveries for that person and type.
Config tab
Basic delivery settings for notifications, plus a link to the full Outbound Email screen for anything more advanced.
| Control | What it does |
|---|---|
| Global email delivery enabled | Master switch for sending notification email at all. |
| SMTP host / port / user / password | Connection details for the sending server. An existing password is kept if you leave the field blank. |
| From address | The address notifications are sent from. |
| Save config | Saves the settings. |
| Send test notification | Sends a test to confirm delivery is working. |
Outbound Email — header actions
| Control | What it does |
|---|---|
| Use ThreatWeaver Default | Creates a ready-to-use sending mailbox managed by ThreatWeaver, so you can send straight away without your own server. (Shown when available.) |
| Connect with Microsoft | Connects a Microsoft mailbox by signing in and granting send permission. |
| Connect with Google | Connects a Google mailbox the same way. |
| Add SMTP Mailbox | Adds a mailbox using your own SMTP server details. |
Outbound Email — the mailbox list
Each mailbox row shows a status dot, its display name, a Primary badge on the active top sender, the provider, and a health badge. For a mailbox that's in service, this shows healthy, degraded, failed, or unprobed; for one that's inactive, it shows draft or disabled instead (a new mailbox starts as draft and stays that way until you activate it). Beneath that are the from-address, server details, when health was last checked, and how many messages it has sent today.
| Control | What it does |
|---|---|
| Up / Down arrows | Reorder failover priority. The first active mailbox is the Primary sender. |
| Test | Opens a dialog to send a test email from that mailbox. |
| Activate / Disable | Brings a mailbox into service or takes it out. New mailboxes start inactive until their health check passes. |
| Delete (trash) | Removes the mailbox after you confirm. |
Add SMTP Mailbox dialog
| Field | What it does |
|---|---|
| Display name | A label for the mailbox. |
| From address / From name | The address and name mail is sent as. |
| Reply-To | An optional different reply address. |
| SMTP host / Port | Your mail server and its port. |
| Encryption | STARTTLS, Implicit TLS, or None (not recommended). |
| Username / Password | Sign-in credentials for the server. For Gmail, use an app password rather than your account password. The eye icon reveals the password. |
| Save Mailbox | Creates the mailbox. It starts inactive while its health is checked in the background; activate it once it shows healthy. |
Connect Microsoft / Google dialogs
Connecting opens a sign-in popup where you authorize ThreatWeaver to send mail on your behalf; the from-address is filled in automatically from the account you connect. You give the mailbox a Display name, and optionally a From name and Reply-To. Microsoft lets you scope which kinds of account may connect; Google lets you restrict consent to a specific Workspace domain. The mailbox starts inactive and is activated once healthy.
Sign-in apps (advanced)
Below the mailbox list you can register your own Microsoft or Google sign-in app, so the consent screen and audit trail stay within your organization. Each entry records the app's name, provider, client ID, redirect address, and permissions, with a control to remove it. The register dialog includes step-by-step setup notes that link to Microsoft's and Google's official documentation.
Outbound Email — the Send Log
The Send Log lists every message ThreatWeaver attempted to send, newest first.
| Control | What it does |
|---|---|
| Status chips | Filter by outcome — queued, sending, sent, deferred, failed, bounced, complained, or suppressed. |
| Mailbox | Filter to a single sending mailbox. |
| Time range | Last 1 hour, 24 hours, 7 days, or all time. |
| Search subject / recipient | Text search across subject and recipient. |
| Replay deferred | Re-queues messages that were deferred, and reports how many were requeued. |
| Refresh | Reloads the list. |
The table shows each message's status, subject, recipient, sending mailbox, the template used, the number of send attempts, and when it was queued. Row actions:
| Action | What it does |
|---|---|
| View (eye) | Opens a detail dialog with the full recipient list, timestamps, attempt history, and the provider's response. |
| Re-queue | Tries a failed or deferred message again. |
Arrows at the bottom page through the results.
Common workflows
Workflow: connect a sending mailbox and prove it works
-
On Outbound Email, click Add SMTP Mailbox (or Connect with Microsoft / Connect with Google).
Step 1 — starting a new mailbox -
Fill in the mailbox details and save. The mailbox is created inactive while its health is checked.
Step 2 — the new mailbox with its health badge -
Once it shows healthy, click Test, enter your own address, and send. A success message confirms delivery.
-
Click Activate to bring the mailbox into service. Use the up/down arrows to set its failover priority.
Workflow: find out why someone isn't getting an alert
-
Open the Notification Admin hub and select the Diagnose tab.
-
Enter the affected User and the Notification type in question.
-
Click Run diagnostic and read the conclusion and pipeline steps to see where the alert is being stopped (for example, a personal preference set to Off, or global email delivery disabled).
Step 3 — the diagnostic result and pipeline steps -
If the diagnostic points at delivery, open the Send Log on Outbound Email, filter to failed or deferred, open the message to read the provider response, and use Re-queue or Replay deferred once the cause is fixed.