You can create templates for email notifications that are triggered for
offenses.
You customize the content that is included in the email notification by editing the
alert-config.xml file.
You must create a temporary directory where you can safely edit your copy of the files, without
the risk of overwriting the default files. After you edit and save the
alert-config.xml file, you must run a script that validates your changes. The
validation script automatically applies your changes to a staging area. You must deploy the full
configuration to rebuild the configuration files for all appliances.
Procedure
-
Use SSH to log in to the QRadar®
Console as the root user.
-
Create a new temporary directory to use to safely edit copies of the default files.
-
Type the following command to copy the files that are stored in the
custom_alerts directory to the temporary directory:
cp /store/configservices/staging/globalconfig/templates/custom_alerts/*.* <directory_name>
The <directory_name>
is the name of the temporary
directory that you created.
If the file does not exist in the staging directory, you might find it in
the /opt/qradar/conf/templates/custom_alerts directory.
-
Confirm that the files were copied successfully:
-
To list the files in the directory, type
ls -lah
.
-
Verify that the
alert-config.xml
file is listed.
-
Open the alert-config.xml file for editing.
-
Add a new
<template>
element for the new offense template.
- Required:
Enter offense for the template type value.
<templatetype>offense</templatetype>
-
Type a name for the offense template.
For example, <templatename>Default offense
template</templatename>
If you have more than one template, ensure that the template name is unique.
-
Set the
<active>
element to true.
<active>true</active>
Important: The <active></active>
property must be set to
true
for each template type that you want to appear as an option in QRadar. There must be at least one
active template for each type.
-
Edit the parameters in the
<body>
or <subject>
elements
to include the information that you want to see.
The following lists provide the values that you can use in the offense template. $Label values
provide the label for the item and the $Value values provide the data.
- Offense parameters
- $Value.DefaultSubject
- $Value.Intro
- $Value.OffenseId
- $Value.OffenseStartTime
- $Value.OffenseUrl
- $Value.OffenseMRSC
- $Value.OffenseDescription
- $Value.EventCounts
-
- $Label.OffenseSourceSummary
- $Value.OffenseSourceSummary
-
- $Label.TopSourceIPs
- $Value.TopSourceIPs
-
- $Label.TopDestinationIPs
- $Value.TopDestinationIPs
-
- $Label.TopLogSources
- $Value.TopLogSources
-
- $Label.TopUsers
- $Value.TopUsers
-
- $Label.TopCategories
- $Value.TopCategories
-
- $Label.TopAnnotations
- $Value.TopAnnotations
-
- $Label.ContributingCreRules
- $Value.ContributingCreRules
You can also loop over some values by using the following syntax in the template:
#foreach( $item in $Value.X )
$item
#end
Where X
is one of the following values:
- OffenseSourceSummaryList
- TopSourceIPsList
- TopDestinationIPsList
- TopLogSourcesList
- TopUsersList
- TopCategoriesList
- TopAnnotationsList
- ContributingCreRulesList
You can include the following properties by using ${X}
, where
X
is one of the following values:
- OffenseID
- OffenseRuleID
- OffenseRuleName
- Magnitude
- Relevance
- Severity
- Credibility
- Domain ("N/A" if not found)
- Tenant ("N/A" if not found)
- OffenseType
For example, if an offense has a magnitude of 7, and you include ${Magnitude}
in
the template, the value for ${Magnitude}
appears as 7 in the email.
-
Save and close the
alert-config.xml
file.
-
Validate the changes by typing the following command.
/opt/qradar/bin/runCustAlertValidator.sh <directory_name>
<directory_name>
is the name of the temporary directory
that you created.
If the script validates the changes successfully, the following message is displayed:
File alert-config.xml was deployed successfully to staging!
-
Deploy the changes in QRadar.
-
Log in to QRadar.
-
On the
navigation menu ( ), click
Admin.
-
Click .
Important: QRadar continues to collect events
when you deploy the full configuration. When the event collection service must restart, QRadar does not restart it
automatically. A message displays that gives you the option to cancel the deployment and restart the
service at a more convenient time.