Tips and tricks for customizing email templates

The custom alert email templates in IBM® QRadar® are implemented by using Velocity templates. Velocity is a Java-based template language that provides an immense amount of power and programmability.

Note: This technical blog article is as-is and didn’t go through any extra vetting.

Problem - Multitenancy domains

Currently, the DomainID for multi-tenancy or overlapping IP addresses isn’t available in the custom email templates.

Solution - Use AQL custom properties QRadar

QRadar has AQL (Ariel query language) custom properties that are available in the email templates when you use the following syntax:

${AqlCustomPropertiesList}

As the following screen capture shows, it's simple to create an AQL custom property that includes the domain information:

Image showing that domain information should be entered in the Description field. — Figure 1. AQL custom property

But, alas, we have multiple AQL custom properties and the only thing that the email template allows is to get the LIST of AqlCustomProperties and their values:

AQL Custom Properties: GregAQL: Net_10_0_0_0
00MYAQL: Net_10_0_0_0
DomainInformation: ApophisDomain (ID: 1)
SystemName: ApophisQAFedora

Because Velocity is a flexible Java-based templating language, we can just go through each of them and print the one that we want:

#foreach ( $str in $AqlCustomPropertiesList.split("\n") )
#if ( $str.contains('DomainInformation') )
                DomainInformation:                             $str
#end
#end

Adding the previous code example in the email template gives you the result you want:

DomainInformation: DomainInformation: ApophisDomain  (ID: 1)

You can also print the values of any given custom, calculated, or AQL properties by using one of the following strings:

${body.CustomProperty(“CustomName”)}
${body.CalculatedProperty(“CalculatedName”)}
${body.AqlCustomProperty(“AQLName”)}

The template is as simple as the following code snippet:

DomainInformation: ${body.AqlCustomProperty(“DomainInformation”)}