IBM Security QRadar SOAR

 View Only
  • 1.  Notification Substitution Value Empty in Email

    IBM Champion
    Posted Thu November 11, 2021 06:16 PM
    Edited by Liam Mahoney Thu November 11, 2021 06:18 PM
    All,

    We're having some issues with the substitution values with notifications. We have a notification that gets triggered when there is tuning requested on an incident. This notification sends an email to the group of people who can perform the tuning. The email gets sent fine, however the most important substitution value in the notification is always showing up as blank.

    Here's the notification (the substitution value that's highlighted is the field that is empty):


    The task with the name `QRadar Tuning Needed` that is in the condition of the notification is added by the rule with the following condition (I think conditions 1-3 can be ignored in this context - the 4th condition is always required and it's the same field we're trying to use in the notification substitution above):



    So to recap:
    • Our notification is trying to use the value of the custom field 'Why is tuning needed in this situation?' as a substitution value
    • Our notification is gets triggered by the task `QRadar Tuning Needed` getting added to the incident
    • The rule that adds the task `QRadar Tuning Needed` has a condition that the same field we're trying to use in our notification, `Why is tuning needed in this situation` must have a value in order for the task to get added
    • The email and system notifications are empty for that field we're trying to use



    Here's a screenshot of an email sent by the notification (the value for the field should appear after the line that has an arrow pointing to it):


    I have highlighted the whole email to make sure it isn't a font color issue. 
    I have double checked that the API name of the field is correct (copied + pasted field API name into notification email + system notification sections)

    Has anyone had a similar issue? 

    As a side note testing these notifications is painful. It would be great if we could manually execute them on an incident / task / whatever the object type is similar to how we can with a script. As I write this I realize it might be easier just to use the outbound email action.

    Thanks!



    ------------------------------
    Liam Mahoney
    ------------------------------


  • 2.  RE: Notification Substitution Value Empty in Email

    Posted Fri November 12, 2021 05:50 AM
    Hey Liam,

    I had a look at reproducing this but so far am not seeing the same behaviour (on the upcoming v43 at least).

    A few things I tried:
    • Check if incident properties can be substituted: yes
    • Check if a long property name like yours can be substituted : yes
    • Check if rich text area field can be substituted: yes
    • Check your flow of changing field -> rule -> task -> notification: substitution worked for me

    Could you please show me the field definition for 'Why is tuning needed in this situation?'  just so I can test out the exact same field type? I'll also check to see if this was a bug that has been fixed recently.

    Thanks.

    ------------------------------
    Sean Mc Cann
    ------------------------------



  • 3.  RE: Notification Substitution Value Empty in Email

    IBM Champion
    Posted Mon November 15, 2021 01:04 PM

    Sean,

    Here's the definition of the field we're trying to use in substitution:


    Thanks!



    ------------------------------
    Liam Mahoney
    ------------------------------



  • 4.  RE: Notification Substitution Value Empty in Email

    Posted Fri November 12, 2021 08:17 AM
    There are a lot of moving pieces for your use case. When I'm troubleshooting I like to start with something simple and then start adding things on. It allows me to identify potential issues more effectively.

    In this case, since the template doesn't seem to be working I would start there.  Create a test notification that is run when an incident is updated (add some conditions that only trigger for your test). This way the rules/workflows/playbooks is taken out of the equation. If there is still a problem with the email check the field values. Is it any value or all values that are not substituted? Check the field definition, are all custom fields having this issue or not?  

    Hopefully using this strategy would illustrate where the problem lies and we can potentially reproduce it or identify a workaround.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------



  • 5.  RE: Notification Substitution Value Empty in Email

    IBM Champion
    Posted Mon November 15, 2021 01:06 PM
    Ben,

    Thanks for the tips! I'll try breaking it down into smaller parts and reply with any findings

    Thanks!

    ------------------------------
    Liam Mahoney
    ------------------------------



  • 6.  RE: Notification Substitution Value Empty in Email

    IBM Champion
    Posted Mon November 15, 2021 02:54 PM
    All,

    I ended up adding the task `QRadar Tuning Needed` via a workflow with a 3 second timer before the task is added rather than adding the task directly in a rule. This seems to have fixed my notification value substitution issue.

    ------------------------------
    Liam Mahoney
    ------------------------------