Topic
  • 8 replies
  • Latest Post - ‏2016-05-18T09:12:05Z by MikeParkes
JThur
JThur
2 Posts

Pinned topic Edit email output?

‏2014-10-23T12:32:00Z | email sms

I'm wondering if there is a way to edit the information that is presented in the emails that are generated from offenses. I'd like to remove some of the fields to allow us to do sms alerts that don't span multiple text messages. Has anyone tried this or is it possible?

  • sree_ibm
    sree_ibm
    16 Posts

    Re: Edit email output?

    ‏2014-10-24T20:49:10Z  

    Hi, Couple of questions1. Which version of QRadar are you running?

    and Secondly - Are you talking about the email of the offense summary details? or the emails sent as a response to a triggered rule?

    If it is the former then this link would you details on how to do it:

    http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.2/com.ibm.qradar.doc_7.2.2/t_CONFIGURING_CUSTOM_EMAIL_NOTIFICATIONS.html?lang=en

  • Tpos
    Tpos
    9 Posts

    Re: Edit email output?

    ‏2015-03-16T11:28:28Z  

    I don't want to create a new topic for the same problem.

    It is my custom email notification in alert-config.xml file below:

    <?xml version="1.0" encoding="UTF-8"?>
    <templates>
        <template>
            <templatename>Default Event</templatename>
            <templatetype>event</templatetype>
            <active>true</active>
            <filename></filename>
            <subject>${sem_ruleResponse_email_subject}</subject>
            <body>
               ${StartTime}

       
               There is source            ${SourceIP} IP address.
               There is destination      ${DestinationIP} IP address.
               Log information            ${Payload}
            </body>
            <from></from>
            <to></to>
            <cc></cc>
            <bcc></bcc>
        </template>
        <template>
            <templatename>Default Flow</templatename>
            <templatetype>flow</templatetype>
            <active>true</active>
            <filename></filename>
            <subject>${sem_ruleResponse_email_subject}</subject>
            <body>
             ${StartTime}

               There is source            ${SourceIP} IP address.
               There is destination      ${DestinationIP} IP address.
               Log information            ${Payload}
            </body>
            <from></from>
            <to></to>
            <cc></cc>
            <bcc></bcc>
        </template>
    </templates>

     

    I did all steps by Custom email notification guide  (ftp://ftp.software.ibm.com/software/security/products/qradar/documents/71MR1/SIEM/TechNotes/Custom_Email_Notification.pdf). But still I am getting the default email notification. Any ideas what is wrong?

  • sree_ibm
    sree_ibm
    16 Posts

    Re: Edit email output?

    ‏2015-03-18T14:20:39Z  
    • Tpos
    • ‏2015-03-16T11:28:28Z

    I don't want to create a new topic for the same problem.

    It is my custom email notification in alert-config.xml file below:

    <?xml version="1.0" encoding="UTF-8"?>
    <templates>
        <template>
            <templatename>Default Event</templatename>
            <templatetype>event</templatetype>
            <active>true</active>
            <filename></filename>
            <subject>${sem_ruleResponse_email_subject}</subject>
            <body>
               ${StartTime}

       
               There is source            ${SourceIP} IP address.
               There is destination      ${DestinationIP} IP address.
               Log information            ${Payload}
            </body>
            <from></from>
            <to></to>
            <cc></cc>
            <bcc></bcc>
        </template>
        <template>
            <templatename>Default Flow</templatename>
            <templatetype>flow</templatetype>
            <active>true</active>
            <filename></filename>
            <subject>${sem_ruleResponse_email_subject}</subject>
            <body>
             ${StartTime}

               There is source            ${SourceIP} IP address.
               There is destination      ${DestinationIP} IP address.
               Log information            ${Payload}
            </body>
            <from></from>
            <to></to>
            <cc></cc>
            <bcc></bcc>
        </template>
    </templates>

     

    I did all steps by Custom email notification guide  (ftp://ftp.software.ibm.com/software/security/products/qradar/documents/71MR1/SIEM/TechNotes/Custom_Email_Notification.pdf). But still I am getting the default email notification. Any ideas what is wrong?

    Hi Tpos,

    I actually copied your template and was successful in getting the alert email with the changes you mentioned.

    Message 281:
    From QRADAR@localhost.localdomain  Wed Mar 18 11:03:44 2015
    Return-Path: <QRADAR@localhost.localdomain>
    X-Original-To: <Removed>
    Delivered-To: <Removed>
    Date: Wed, 18 Mar 2015 11:03:44 -0300 (ADT)
    From: <removed>
    To: <removed>
    Subject: TestRule Fired
    Content-Type: text/plain; charset=UTF-8
    Status: R


               Mar 18, 2015 11:03:33 AM ADT


               There is source            <IP Removed by user> IP address.
               There is destination      <IP Removed by user> IP address.
               Log information            <Payload Removed by user>

     

    If you are receiving the default template it tells me that the template was not deployed successfully. There are possibly three reasons for it:

    1. You have more than one template active for each Type ie one for events and one for flows. Ensure that your template was not accidentally commented out in alert-config.xml.

    2. While running /opt/qradar/bin/runCustAlertValidator.sh ~/<DIR>/ ensure you give the full path. Also ensure you see this message "File alert-config.xml was deployed successfully to staging! " before proceeding.

    3. If successful,  Log in to the QRadar UI and then Go to the Admin Tab and Do a full Deploy.

    The third step is required to ensure the template is changed. Also you may just copy the alert_config.xml to the dir you create and change the template there.

    Regards,

    Sree

     

  • Tpos
    Tpos
    9 Posts

    Re: Edit email output?

    ‏2015-03-19T07:13:21Z  
    • sree_ibm
    • ‏2015-03-18T14:20:39Z

    Hi Tpos,

    I actually copied your template and was successful in getting the alert email with the changes you mentioned.

    Message 281:
    From QRADAR@localhost.localdomain  Wed Mar 18 11:03:44 2015
    Return-Path: <QRADAR@localhost.localdomain>
    X-Original-To: <Removed>
    Delivered-To: <Removed>
    Date: Wed, 18 Mar 2015 11:03:44 -0300 (ADT)
    From: <removed>
    To: <removed>
    Subject: TestRule Fired
    Content-Type: text/plain; charset=UTF-8
    Status: R


               Mar 18, 2015 11:03:33 AM ADT


               There is source            <IP Removed by user> IP address.
               There is destination      <IP Removed by user> IP address.
               Log information            <Payload Removed by user>

     

    If you are receiving the default template it tells me that the template was not deployed successfully. There are possibly three reasons for it:

    1. You have more than one template active for each Type ie one for events and one for flows. Ensure that your template was not accidentally commented out in alert-config.xml.

    2. While running /opt/qradar/bin/runCustAlertValidator.sh ~/<DIR>/ ensure you give the full path. Also ensure you see this message "File alert-config.xml was deployed successfully to staging! " before proceeding.

    3. If successful,  Log in to the QRadar UI and then Go to the Admin Tab and Do a full Deploy.

    The third step is required to ensure the template is changed. Also you may just copy the alert_config.xml to the dir you create and change the template there.

    Regards,

    Sree

     

    sree_ibm Thank you for your help. A problem was a comments

  • HankTheCrank
    HankTheCrank
    1 Post

    Re: Edit email output?

    ‏2016-02-10T15:51:10Z  

    Hi,

    I've looked at the documentation on this topic and I don't see anything that can help me.  Is there some way we can add the offense ID to the e-mail template?  The document doesn't list it as an option but, I'm hoping there might be an undocumented alternative? 

    Thanks!

    Hank

  • KeithES
    KeithES
    2 Posts

    Re: Edit email output?

    ‏2016-03-08T22:10:23Z  

    Hi,

    I've looked at the documentation on this topic and I don't see anything that can help me.  Is there some way we can add the offense ID to the e-mail template?  The document doesn't list it as an option but, I'm hoping there might be an undocumented alternative? 

    Thanks!

    Hank

    Hank,

    I actually did some research into this and it's not possible. If you look at the architecture the email alerts are sent from the individual appliances when they are detected. At that point there isn't an offense for ti to send with the alert. 

     

    In newer versions however there are rules based on offenses, you can create an offense rule and send an email when the offense is generated. That should have the offense ID in it.

    Thanks,

    Keith

  • dunsdool
    dunsdool
    1 Post

    Re: Edit email output?

    ‏2016-05-05T22:24:23Z  

    I know this is an old topic, but is there no way to edit the information sent in an email when an Offense is triggered? 

  • MikeParkes
    MikeParkes
    1 Post

    Re: Edit email output?

    ‏2016-05-18T09:12:05Z  

    Hi Kyle

    The Offense email template would seem to be defined within the file /opt/qradar/conf/localization/sem.properties.

    We have done some testing and using commenting we have been able to change the email but it isn't an ideal method especially as there is only one instance.

    I suggest that you raise it as a request for enhancement to have the definition moved to the alert-config.xml file.

    Regards

    Mike Parkes