When you configure rules in IBM®
QRadar®, specify that each time
the rule generates a response, an email notification is sent to recipients. The email notification
provides useful information, such as event or flow
properties.
About this task
You can customize the content that is included in the email notification for rule response
by editing the alert-config.xml file. Note: References to flows do not apply to
IBM
QRadar Log Manager.
You must create a temporary directory where you can safely edit your copy of the files,
without the risk of overwriting the default files. After you edit and save the
alert-config.xml file, you must run a script that validates your changes. The
validation script automatically applies your changes to a staging area. You must deploy the full
configuration to rebuild the configuration files for all appliances.
Important: For IBM
QRadar on Cloud, you
must open a ticket with IBM
Support to get a copy of the alert-config.xml file. You must open another
ticket to apply the updated alert-config.xml file to your QRadar on Cloud instance.
Procedure
-
Use SSH to log in to the QRadar
Console as the root user.
-
Create a new temporary directory to use to safely edit
copies of the default files.
-
To copy the files that are stored in the custom_alerts
directory to the temporary directory, type the
following command:
cp /store/configservices/staging/globalconfig/templates/custom_alerts/*.* <directory_name>
The <directory_name>
is the name of the temporary
directory that you created.
-
Confirm that the files were copied successfully:
-
To list the files in the directory, type
ls -lah
.
-
Verify that the
alert-config.xml
file is listed.
-
Open the alert-config.xml file for editing.
-
Edit the contents of the
<template>
element.
- Required:
Specify the type of template to use. Valid options are event or
flow.
<templatetype>event</templatetype>
<templatetype>flow</templatetype>
-
Type a name for the email template:
<templatename>Default flow template</templatename>
If you have more than one template, ensure that the template name is unique.
-
Set the
<active>
element to true:
-
Edit the parameters in the
<body>
or <subject>
elements
to include the information that you want to see.
Important: The
<active></active>
property
must be set to
True
for each event and flow template type that you want to appear
as an option in
QRadar. There
must be at least one active template for each type.
You must also ensure that the
<filename></filename>
property is left empty.
Notification parameters that you can use in the template:
Table 1. Accepted Notification Parameters
Common Parameters |
Event Parameters |
Flow Parameters |
AppName |
EventCollectorID |
Type |
RuleName |
DeviceId |
CompoundAppID |
RuleDescription |
DeviceName |
FlowSourceIDs |
EventName |
DeviceTime |
SourceASNList |
EventDescription |
DstPostNATPort |
DestinationASNList |
EventProcessorId |
SrcPostNATPort |
InputIFIndexList |
Qid |
DstMACAddress |
OutputIFIndexList |
Category |
DstPostNATIPAddress |
AppId |
RemoteDestinationIP |
DstPreNATIPAddress |
Host |
Payload |
SrcMACAddress |
Port |
Credibility |
SrcPostNATIPAddress |
SourceBytes |
Relevance |
SrcPreNATIPAddress |
SourcePackets |
Source |
SrcPreNATPor |
Direction |
SourcePort |
DstPreNATPort |
SourceTOS |
SourceIP |
|
SourceDSCP |
Destination |
|
SourcePrecedence |
DestinationPort |
|
DestinationTOS |
DestinationIP |
|
DestinationDSCP |
DestinationUserName |
|
SourceASN |
Protocol |
|
DestinationASN |
StartTime |
|
InputIFIndex |
Duration |
|
OutputIFIndex |
StopTime |
|
FirstPacketTime |
EventCount |
|
LastPacketTime |
SourceV6 |
|
TotalSourceBytes |
DestinationV6 |
|
TotalDestinationBytes |
UserName |
|
TotalSourcePackets |
DestinationNetwork |
|
TotalDestinationPackets |
SourceNetwork |
|
SourceQOS |
Severity |
|
DestinationQOS |
CustomProperty |
|
SourcePayload |
CustomPropertiesList |
|
|
CalculatedProperty |
|
|
CalculatedPropertiesList |
|
|
AQLCustomProperty |
|
|
AqlCustomPropertiesList |
|
|
LogSourceId |
|
|
LogSourceName |
|
|
Note: If you do not want to retrieve the entire list when you use the CustomProperties,
CalculatedProperties, or AqlCustomProperties parameter, you can select a specific property by using
the following tags:
- Custom Property:
${body.CustomProperty("<custom_property_name>")}
- Calculated Property:
${body.CalculatedProperty("<calculated_property_name>")}
- AQL Custom Property:
${body.AqlCustomProperty("<AQL_custom_property_name>")}
- Optional:
To create multiple email templates, copy and paste the following sample
email template in the
<template>
element in the
alert-config.xml file. Repeat Step 6 for each template that you add.
Sample email template:
<template>
<templatename>Default Flow</templatename>
<templatetype>flow</templatetype>
<active>true</active>
<filename></filename>
<subject>${RuleName} Fired </subject>
<body>
The ${AppName} event custom rule engine sent an automated response:
${StartTime}
Rule Name: ${RuleName}
Rule Description: ${RuleDescription}
Source IP: ${SourceIP}
Source Port: ${SourcePort}
Source Username (from event): ${UserName}
Source Network: ${SourceNetwork}
Destination IP: ${DestinationIP}
Destination Port: ${DestinationPort}
Destination Username (from Asset Identity): ${DestinationUserName}
Destination Network: ${DestinationNetwork}
Protocol: ${Protocol}
QID: ${Qid}
Event Name: ${EventName}
Event Description: ${EventDescription}
Category: ${Category}
Log Source ID: ${LogSourceId}
Log Source Name: ${LogSourceName}
Payload: ${Payload}
CustomPropertiesList: ${CustomPropertiesList}
AQL Custom Property, CEP_aql_1: ${body.AqlCustomProperty("CEP_aql_1")}
Calculated Property, CEP_calc_2: ${body.CalculatedProperty("CEP_calc_2")}
Regex Property, CEP_reg_3: ${body.CustomProperty("CEP_reg_3")}
</body>
<from></from>
<to></to>
<cc></cc>
<bcc></bcc>
</template>
Note: Currently, the DomainID for multi-tenancy or overlapping IP addresses
isn’t available in the custom email templates.
-
Save and close the
alert-config.xml
file.
-
Validate the changes by typing the following command.
/opt/qradar/bin/runCustAlertValidator.sh <directory_name>
The <directory_name> parameter is the name of the temporary directory
that you created.
If the script validates the changes successfully, the following message is displayed:
File alert-config.xml was deployed successfully to staging!
-
Deploy the changes in QRadar.
-
Log in to QRadar.
-
On
the navigation menu ( ), click
Admin.
-
Click .
Important: QRadar continues to collect events
when you deploy the full configuration. When the event collection service must restart, QRadar does not restart it
automatically. A message displays that gives you the option to cancel the deployment and restart the
service at a more convenient time.