How To
Summary
Email notifications sent from QRadar SOAR might not have the correct URL to SOAR.
Steps
1) Check the base URL details
sudo resutil configget -baseurl
If nothing is returned, you need to set it.
You see the warning message in the client.log
WARN com.co3.dao.impl.ConfigVarDAOImpl - baseurl is not set.
To set the base URL, run the following command.
sudo resutil configset -baseurl https://<FQDN FOR SOAR>
Restart SOAR
sudo systemctl restart resilient
If you have imported an SSL certificate, then the base URL is set during successful import of the certificate.
You might also come across a situation where the URL is set incorrectly if you imported a wildcard SSL certificate. Follow the steps to change the base URL.
2) Permissions
If you set up your notifications to use the fields "Notify Resilient users" or "Notify others" you may have a situation arise when the email addresses in these two fields do not have permission to view the incident. In this case, the recipient of the email, who does not have access to the incident, does not get a URL to the incident.
The same may be true of email addresses added to these fields that are group email addresses sent to multiple recipients, none of which can be verified by IBM SOAR.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
13 July 2023
UID
ibm11160074