IBM Support

QRadar SOAR: Email notifications might not have the correct URL to SOAR

How To


Summary

Email notifications sent from QRadar SOAR might not have the correct URL to SOAR.

Steps

Emails that do not contain a link to the incident, might be caused by one of two reasons.

1) Check the base URL details

sudo resutil configget -baseurl

If nothing is returned, you need to set it.

You see the warning message in the client.log

WARN com.co3.dao.impl.ConfigVarDAOImpl - baseurl is not set.

To set the base URL, run the following command.

sudo resutil configset -baseurl https://<FQDN FOR SOAR>

Restart SOAR

sudo systemctl restart resilient

If you have imported an SSL certificate, then the base URL is set during successful import of the certificate.

You might also come across a situation where the URL is set incorrectly if you imported a wildcard SSL certificate. Follow the steps to change the base URL.

2) Permissions

If you set up your notifications to use the fields "Notify Resilient users" or "Notify others" you may have a situation arise when the email addresses in these two fields do not have permission to view the incident. In this case, the recipient of the email, who does not have access to the incident, does not get a URL to the incident.

The same may be true of email addresses added to these fields that are group email addresses sent to multiple recipients, none of which can be verified by IBM SOAR.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z000000cvv5AAA","label":"Email"}],"ARM Case Number":"TS013563660","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
13 July 2023

UID

ibm11160074

Page Feedback