Email Alerts Enterprise
Enterprise email alerting has two layers:
| Layer | Location | Who receives mail |
|---|---|---|
| User notifications | Settings > Notifications | Your Trapster account |
| Distribution emails | Settings > Integrations > Emails | Shared addresses (for example soc@company.com) |
User notifications
Each user chooses how much email they want:
| Level | What you receive |
|---|---|
| All notifications | Every incident in your accessible namespaces |
| Only login attempts | Credential submissions, breadcrumb triggers, and honeytoken hits |
| No notifications | Nothing |
Administrators can set a default level when inviting someone. Users can change their own preference afterward.
Distribution emails
Add org-wide recipients that are not tied to a Trapster user account:
- Go to Settings > Integrations > Emails
- Enter an email address and choose namespace scope (all namespaces or selected namespaces)
- Click Add
Distribution addresses receive all incidents in scope. There is no per-type filter on this page.
Alert content
Incident emails include event type, source IP, target service, credentials when applicable, breadcrumb placement notes, timestamp, and a link to the incident in the dashboard.
Frequency
Trapster sends one email per incident for honeypot activity, not one per event. Rapid follow-up activity on the same incident is folded into that single message where possible.
Honeytoken incidents are emailed immediately.
Severity escalation and email
Incidents can escalate over time: a connection that starts as Low may become High when credentials are submitted, or Critical when a breadcrumb fires.
Email behaves differently from webhooks and syslog:
| Channel | On escalation (same incident gets a more severe event) |
|---|---|
| Webhooks / syslog | Sent again when severity increases |
| Not sent again for the same incident |
The email reflects the incident's severity at send time. If several events arrive in quick succession before the email goes out, the message uses the highest severity reached.
Practical guidance
For alerts on every severity change, route Settings > Integrations webhooks or syslog to your SIEM or ticketing system. Those channels notify again when an incident escalates.
Related
- Incidents: Severity levels and escalation
- Alerting overview: Webhooks, syslog, and other channels
