IBM Support

QRadar: Offense ID not included in email generated by an Event or Common rule



How to incorporate the offense ID in the email generated by a rule.


Only an Offense Rule will include Offense ID. Event or Common Rules do not. The Event or Common Rule are used to generate the Offense, but since the Offense is only created after the rule is fired it will not have an Offense ID therefore cannot be included in the email generated by the Offense.

Resolving The Problem

To have the Offense ID included in an email requires creation of a separate Offense rule. The Offense Rule can watch for any Offenses being created by the Event or Common Rule and send an email when an Offense is created. At this point, since the Offense is already created, it has an Offense ID, therefore the email generated by the Offense Rule will include the Offense ID.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GncCAAS","label":"QRadar->Rules"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
02 April 2020