Hello Community!
I recently went through a thought experiment with some colleagues: how can QRadar include geolocation data for remote IP addresses from flow feeds in custom rule triggered emails? Geolocation data is available and presented to the end user in the user interface, but in order to include it as a column, how is the information presented? AQL custom fields to the rescue!
To accomplish this, it was a matter of doing a few things:
- Create the custom fields using AQL function field extractions
- Create a new email template to leverage the newly created fields
- Create rule(s) that use these email templates for testing purposes only
Custom Fields:
|
Calculated Field Name
|
AQL Function
|
|
flow_conutry_dest
|
GEO::LOOKUP(destinationip,'registered_country')
|
|
flow_conutry_source
|
GEO::LOOKUP(sourceip,'registered_country')
|
Creating custom email template steps can be found at this link:
https://www.ibm.com/docs/en/qsip/7.3.3?topic=notifications-configuring-event-flow-custom-email
Although crafted independently, this current entry can build on top of the following written by Karl Jaeger which goes deeper into subject line customization:
https://community.ibm.com/community/user/security/blogs/karl-jaeger1/2021/05/20/siem-federation
For the purposes of this entry though, I added the following template to the list by first copying the default flow template, then changing the name and adding the fields in the appropriate body location:
<template>
<templatename>Flow with Geo</templatename>
<templatetype>flow</templatetype>
<active>true</active>
<filename></filename>
<subject><![CDATA[${sem_ruleResponse_email_subject}]]>- Rule Fired</subject>
<body>
<![CDATA[The following is an automated response sent to you by the ${AppName} event custom rules engine:
${StartTime}
Rule Name: ${RuleName}
Rule Description: ${RuleDescription}
Source IP: ${SourceIP}
Source Port: ${SourcePort}
Source Username (from event): ${UserName}
Source Network: ${SourceNetwork}
Destination IP: ${DestinationIP}
Destination Port: ${DestinationPort}
Destination Username (from Asset Identity): ${DestinationUserName}
Destination Network: ${DestinationNetwork}
Protocol: ${Protocol}
QID: ${Qid}
Event Name: ${EventName}
Event Description: ${EventDescription}
Category: ${Category}
Log Source ID: ${LogSourceId}
Log Source Name: ${LogSourceName}
Source Country: ${body.AqlCustomProperty("flow_country_source")}
Destination Country: ${body.AqlCustomProperty("flow_country_dest")}
Payload: ${Payload}
]]>
</body>
<from></from>
<to></to>
<cc></cc>
<bcc></bcc>
</template>
Rules created for testing:
|
Apply Geolocation in body test on flows which are detected by the Local|Global system
|
|
and when the local network is Sandbox_Net.IoT
|
|
Response:
Email: Enter email addresses to notify: <email to receive alert>
Select flow email template: Flow with Geo
|
|
NOTE: The selected flow email template name is the same as the one listed in the template name section above.
|
The email notifications that use this template will include source and destination countries for internet routable addresses seen in the flow records in JSON format:
With this entry and Karl’s entry, you are now empowered to create templates with custom subjects as well as custom fields, including those built on AQL functions!