Configuring custom offense email notifications

You can create templates for email notifications that are triggered for offenses.

You customize the content that is included in the email notification by editing the alert-config.xml file.

You must create a temporary directory where you can safely edit your copy of the files, without the risk of overwriting the default files. After you edit and save the alert-config.xml file, you must run a script that validates your changes. The validation script automatically applies your changes to a staging area. You must deploy the full configuration to rebuild the configuration files for all appliances.

Procedure

  1. Use SSH to log in to the QRadar® Console as the root user.
  2. Create a new temporary directory to use to safely edit copies of the default files.
  3. Type the following command to copy the files that are stored in the custom_alerts directory to the temporary directory: 
    cp /store/configservices/staging/globalconfig/templates/custom_alerts/*.* <directory_name>

    The <directory_name> is the name of the temporary directory that you created.

    If the file does not exist in the staging directory, you might find it in the /opt/qradar/conf/templates/custom_alerts directory.

  4. Confirm that the files were copied successfully:
    1. To list the files in the directory, type ls -lah.
    2. Verify that the alert-config.xml file is listed.
  5. Open the alert-config.xml file for editing.
  6. Add a new <template> element for the new offense template.
    1. Required: Enter offense for the template type value. 
      <templatetype>offense</templatetype>
    2. Type a name for the offense template.
      For example, <templatename>Default offense template</templatename>

      If you have more than one template, ensure that the template name is unique.

    3. Set the <active> element to true. 
      <active>true</active>
      Important: The <active></active> property must be set to true for each template type that you want to appear as an option in QRadar. There must be at least one active template for each type.
    4. Edit the parameters in the <body> or <subject> elements to include the information that you want to see.

      The following lists provide the values that you can use in the offense template. $Label values provide the label for the item and the $Value values provide the data.

      Offense parameters
      $Value.DefaultSubject
      $Value.Intro
      $Value.OffenseId
      $Value.OffenseStartTime
      $Value.OffenseUrl
      $Value.OffenseMRSC
      $Value.OffenseDescription
      $Value.EventCounts
       
      $Label.OffenseSourceSummary
      $Value.OffenseSourceSummary
       
      $Label.TopSourceIPs
      $Value.TopSourceIPs
       
      $Label.TopDestinationIPs
      $Value.TopDestinationIPs
       
      $Label.TopLogSources
      $Value.TopLogSources
       
      $Label.TopUsers
      $Value.TopUsers
       
      $Label.TopCategories
      $Value.TopCategories
       
      $Label.TopAnnotations
      $Value.TopAnnotations
       
      $Label.ContributingCreRules
      $Value.ContributingCreRules

       

      You can also loop over some values by using the following syntax in the template:

      #foreach( $item in $Value.X )
  $item
#end

      Where X is one of the following values:

      • OffenseSourceSummaryList
      • TopSourceIPsList
      • TopDestinationIPsList
      • TopLogSourcesList
      • TopUsersList
      • TopCategoriesList
      • TopAnnotationsList
      • ContributingCreRulesList

       

      You can include the following properties by using ${X}, where X is one of the following values:

      • OffenseID
      • OffenseRuleID
      • OffenseRuleName
      • Magnitude
      • Relevance
      • Severity
      • Credibility
      • Domain ("N/A" if not found)
      • Tenant ("N/A" if not found)
      • OffenseType

      For example, if an offense has a magnitude of 7, and you include ${Magnitude} in the template, the value for ${Magnitude} appears as 7 in the email.

  7. Save and close the alert-config.xml file.
  8. Validate the changes by typing the following command. 
    /opt/qradar/bin/runCustAlertValidator.sh <directory_name>

    <directory_name> is the name of the temporary directory that you created.

    If the script validates the changes successfully, the following message is displayed: File alert-config.xml was deployed successfully to staging!
  9. Deploy the changes in QRadar.
    1. Log in to QRadar.
    2. On the navigation menu ( Navigation menu icon ), click Admin.
    3. Click Advanced > Deploy Full Configuration.
      Important: QRadar continues to collect events when you deploy the full configuration. When the event collection service must restart, QRadar does not restart it automatically. A message displays that gives you the option to cancel the deployment and restart the service at a more convenient time.