QRadar: Email notification for failed backup

Answer

Under the System: Notification Rule, there are 3 backup failure events that we look for and alert on.

Backup: requires more disk space

Backup: last Backup exceeded execution threshold

Backup: unable to execute request.

The user can take those 3 events(QIDs) and create a rule that looks for any of those 3 events. Have that rule create an alert email.

You can create a Rule which, will send you an email when the Disk Sentry receives an alert for the disk usage on your QRadar system.

1. From the QRadar Web User Interface, go to the Offenses tab.
   
2. Then Click the left sidebar > Rules.
   
3. From the pull down click Actions > New Event Rule.
   
   
   
4. In the Rule Wizard, skip to the Rule Test page. Within this page. Search for the following rule test when the event QID is one of the following QIDs.
   Add this test to your new rule's rule test list.
   
   
   
5. Select the QIDs link at the end of this rule test, this will open a Menu which allows you to add a QID or do a QID search.
   
   
   
6. Within the QID/Name Search field type Backup:
   Note: The ":" after Backup is required else you will get different results from your search.
   
7. Add the QID's matching the following using the Add button:
   
   QID 38750033 Backup: requires more disk space
   QID 38750035 Backup: last Backup exceeded execution threshold
   QID 38750059 Backup: unable to execute request.
   
8. Back in the Rule Wizard test editor, type the name of the New Rule. Optionally, you can add the Rule to a group and enter notes about your rule.
   
9. Select Next.
   
10. In the Rule Response, under the responses select Send an Email. A field will appear allowing you to type the email address you want the notification to be sent to.
    
    
    
11. Select Next.
    
12. On the Next Page Select Finish.