IBM Support

QRadar: How to deal with unwanted notifications

Question & Answer


Question

Is it possible to suppress QRadar system notifications for a period of time?

Answer


How to edit the system notification rule to add a response limiter
System notifications are generated based on a primary System Notification rule in QRadar. Administrators who want to prevent a system notification from ever displaying in QRadar can edit the primary rule to remove a value, which will prevent the system from ever creating the notification. However, in most cases this is not recommended as there are a number of important system notifications generated by QRadar. The recommended method of preventing system notifications from displaying is to copy the system notification rule and modify it with a rule response limiter to only generate a system notification on a specific interval by minutes or hours. The response limiter can be used to postpone system notifications for several days, when nuisance notifications are occurring.

  1. Click the Offenses tab
  2. Click the Rules icon.
  3. In the list of rules, select the System: Notification rule.

     
  4. Click Actions > Duplicate.

  5. Type a name for the new rule and click OK.
  6. Double-click the rule you duplicated to start the Rule Wizard.
  7. Click the list of event QIDs in the rule.
  8. Edit the rule to only include the QIDs that you want to limit responses on. In this example, we are going to limit License Nearing Expiration notifications as we know this work is in progress.
  9. Click Next.
  10. In the Response Limiter field, set a time frame for the rule.
  11. Click the Enable Rule check box.
  12. Click Next to view a summary of the rule.
  13. Click Finish.
    Now that the new rule is created, we must edit the original System Notification rule to remove the License Nearing Expiration QID to ensure that the original rule will not fire notifications.
  14. Double-click the original System: Notification rule.
  15. Click the list of event QIDs in the rule.
  16. Edit the rule to remove the value License Nearing Expiration, which is the event QID we are limiting the response for in our other rule.
  17. Click Finish.

    Results
    The duplicate rule is created with a response limiter for 48 hours and the original system notification primary rule has been edited to remove the QID for the license message that we do not want the system to generate in the primary rule.

Related Information

[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Log Activity","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.0;7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
01 July 2021

UID

swg21690489