IBM Support

QRadar: How to get payload details from the notification tab?

Question & Answer


Question

What are the steps to follow; when QRadar support engineer requests to share the payload details from notification?

Answer

1] Login into the console by using the user ID and password.
2] Click the notification Bell then click "View All" in front of the particular error/warning/info notification.
3] Once you click "View All" then separate browser window opens. And it shows events that are related to same notification.
4] Again double-click any of the events and open the full details of the events. Scroll down and check the "Payload Information".
5] Click the "utf" tab and copy the payload details from the text box.
Example: 
Jun 13 19:35:11 127.0.0.1  [[type=com.eventgnosis.system.ThreadedEventProcessor][parent=<Full FQDN>:ecs-ec/EC/TrafficAnalysis1/TrafficAnalysis]] com.ibm.si.ec.filters.trafficanalysis.TrafficAnalysisFilter: [WARN] [NOT:0070014101][9.3XX.XXX.XXX/- -] [-/- -]Unable to determine associated log source for IP address <127.0.0.1>. Unable to automatically detect the associated log source for IP address. 
6] You can also take a screenshot of the payload. 
7] Share both details over the support case along with the latest logs from console and affected managed host. 
OR 
To raise a new case, contact IBM Support.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
28 June 2023

UID

ibm16999031