Configuring event and flow custom email notifications

When you configure rules in IBM® QRadar®, specify that each time the rule generates a response, an email notification is sent to recipients. The email notification provides useful information, such as event or flow properties.

About this task

You can customize the content that is included in the email notification for rule response by editing the alert-config.xml file.
Note: References to flows do not apply to IBM QRadar Log Manager.

You must create a temporary directory where you can safely edit your copy of the files, without the risk of overwriting the default files. After you edit and save the alert-config.xml file, you must run a script that validates your changes. The validation script automatically applies your changes to a staging area. You must deploy the full configuration to rebuild the configuration files for all appliances.

Important: For IBM QRadar on Cloud, you must open a ticket with IBM Support to get a copy of the alert-config.xml file. You must open another ticket to apply the updated alert-config.xml file to your QRadar on Cloud instance.

Procedure

  1. Use SSH to log in to the QRadar Console as the root user.
  2. Create a new temporary directory to use to safely edit copies of the default files.
  3. To copy the files that are stored in the custom_alerts directory to the temporary directory, type the following command: 
    cp /store/configservices/staging/globalconfig/templates/custom_alerts/*.* <directory_name>

    The <directory_name> is the name of the temporary directory that you created.

  4. Confirm that the files were copied successfully:
    1. To list the files in the directory, type ls -lah.
    2. Verify that the alert-config.xml file is listed.
  5. Open the alert-config.xml file for editing.
  6. Edit the contents of the <template> element.
    1. Required: Specify the type of template to use. Valid options are event or flow. 
      <templatetype>event</templatetype>
      <templatetype>flow</templatetype>
    2. Type a name for the email template: 
      <templatename>Default flow template</templatename>

      If you have more than one template, ensure that the template name is unique.

    3. Set the <active> element to true:

      <active>true</active>

    4. Edit the parameters in the <body> or <subject> elements to include the information that you want to see.
      Important: The <active></active> property must be set to True for each event and flow template type that you want to appear as an option in QRadar. There must be at least one active template for each type.

      You must also ensure that the <filename></filename> property is left empty.

      Notification parameters that you can use in the template:
      Table 1. Accepted Notification Parameters
      Common Parameters Event Parameters Flow Parameters
      AppName EventCollectorID Type
      RuleName DeviceId CompoundAppID
      RuleDescription DeviceName FlowSourceIDs
      EventName DeviceTime SourceASNList
      EventDescription DstPostNATPort DestinationASNList
      EventProcessorId SrcPostNATPort InputIFIndexList
      Qid DstMACAddress OutputIFIndexList
      Category DstPostNATIPAddress AppId
      RemoteDestinationIP DstPreNATIPAddress Host
      Payload SrcMACAddress Port
      Credibility SrcPostNATIPAddress SourceBytes
      Relevance SrcPreNATIPAddress SourcePackets
      Source SrcPreNATPor Direction
      SourcePort DstPreNATPort SourceTOS
      SourceIP   SourceDSCP
      Destination   SourcePrecedence
      DestinationPort   DestinationTOS
      DestinationIP   DestinationDSCP
      DestinationUserName   SourceASN
      Protocol   DestinationASN
      StartTime   InputIFIndex
      Duration   OutputIFIndex
      StopTime   FirstPacketTime
      EventCount   LastPacketTime
      SourceV6   TotalSourceBytes
      DestinationV6   TotalDestinationBytes
      UserName   TotalSourcePackets
      DestinationNetwork   TotalDestinationPackets
      SourceNetwork   SourceQOS
      Severity   DestinationQOS
      CustomProperty   SourcePayload
      CustomPropertiesList    
      CalculatedProperty    
      CalculatedPropertiesList    
      AQLCustomProperty    
      AqlCustomPropertiesList    
      LogSourceId    
      LogSourceName    
      Note: If you do not want to retrieve the entire list when you use the CustomProperties, CalculatedProperties, or AqlCustomProperties parameter, you can select a specific property by using the following tags:
      • Custom Property: ${body.CustomProperty("<custom_property_name>")}
      • Calculated Property: ${body.CalculatedProperty("<calculated_property_name>")}
      • AQL Custom Property: ${body.AqlCustomProperty("<AQL_custom_property_name>")}
  7. Optional: To create multiple email templates, copy and paste the following sample email template in the <template> element in the alert-config.xml file. Repeat Step 6 for each template that you add.
    Sample email template: 
    <template>
  <templatename>Default Flow</templatename>
  <templatetype>flow</templatetype>
  <active>true</active>
  <filename></filename>
  <subject>${RuleName} Fired </subject>
  <body>
     The ${AppName} event custom rule engine sent an automated response:

     ${StartTime}

     Rule Name:                                  ${RuleName}
     Rule Description:                           ${RuleDescription}

     Source IP:                                  ${SourceIP}
     Source Port:                                ${SourcePort}
     Source Username (from event):               ${UserName}
     Source Network:                             ${SourceNetwork}

     Destination IP:                             ${DestinationIP}
     Destination Port:                           ${DestinationPort}
     Destination Username (from Asset Identity): ${DestinationUserName}
     Destination Network:                        ${DestinationNetwork}

     Protocol:                                   ${Protocol}
     QID:                                        ${Qid}

     Event Name:                                 ${EventName}
     Event Description:                          ${EventDescription}
     Category:                                   ${Category}

     Log Source ID:                              ${LogSourceId}
     Log Source Name:                            ${LogSourceName}

     Payload:                                    ${Payload}
           
     CustomPropertiesList:                       ${CustomPropertiesList}
   
     AQL Custom Property, CEP_aql_1:             ${body.AqlCustomProperty("CEP_aql_1")}

     Calculated Property, CEP_calc_2:            ${body.CalculatedProperty("CEP_calc_2")} 
   
     Regex Property, CEP_reg_3:                  ${body.CustomProperty("CEP_reg_3")}

   </body>
   <from></from>
   <to></to>
   <cc></cc>
   <bcc></bcc>
</template>
    Note: Currently, the DomainID for multi-tenancy or overlapping IP addresses isn’t available in the custom email templates.
  8. Save and close the alert-config.xml file.
  9. Validate the changes by typing the following command. 
    /opt/qradar/bin/runCustAlertValidator.sh <directory_name>

    The <directory_name> parameter is the name of the temporary directory that you created.

    If the script validates the changes successfully, the following message is displayed: File alert-config.xml was deployed successfully to staging!
  10. Deploy the changes in QRadar.
    1. Log in to QRadar.
    2. On the navigation menu ( Navigation menu icon ), click Admin.
    3. Click Advanced > Deploy Full Configuration.
      Important: QRadar continues to collect events when you deploy the full configuration. When the event collection service must restart, QRadar does not restart it automatically. A message displays that gives you the option to cancel the deployment and restart the service at a more convenient time.