IBM Support

QRadar: How to deal with unwanted system notifications

Question & Answer


Question

Is it possible to suppress QRadar system notifications?

Answer


How to edit the system notification rule to add a response limiter
System notifications are generated based on a primary System Notification rule in QRadar. Administrators who want to prevent a system notification from ever displaying in QRadar can edit the primary rule to remove a value, which prevents the system from ever creating the notification. Disabling a notification is not recommended as several important system notifications are generated by QRadar. To prevent unwanted or repetitive system notifications is to copy the system notification rule and modify it with a rule response limiter to generate a system notification on a specific interval by minutes or hours when an issue occurs. The response limiter can be used to postpone system notifications for several days, when nuisance notifications occur.

Procedure

  1. Click the Offenses tab
  2. Click the Rules icon.
  3. In the list of rules, select the System: Notification rule.

     
  4. Click Actions > Duplicate.

  5. Type a name for the new rule and click OK.
  6. Double-click the rule you duplicated to start the Rule Wizard.
  7. Click the list of event QIDs in the rule.
  8. Edit the rule to include the QIDs that you want to limit responses on. In this example, we are going to limit 'License Nearing Expiration' notifications.
  9. Click Next.
  10. In the Response Limiter field, set a time frame for the rule.
  11. Click the Enable Rule check box.
  12. Click Next to view a summary of the rule.
  13. Click Finish.
    Now that the new rule is created, we must edit the original System Notification rule to remove the License Nearing Expiration QID to ensure that the original rule is updated.
  14. Double-click the original System: Notification rule.
  15. Click the list of event QIDs in the rule.
  16. Edit the rule to remove the value (38750124) License Nearing Expiration, which is the event QID we are limiting the response for in our other rule.
  17. Click Finish.

    Results
    A new rule is enabled with a response limiter for 48 hours. The original system notification is updated to remove the QID for the license message as it is a repetitive system notification.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtrAAA","label":"Rules"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
13 June 2023

UID

swg21690489