Everybody has seen this before: QRadar is showing critical offenses but nobody takes notice! This may be the time to kickoff an automated Email response. The corresponding rule exists by default and needs to be enabled only
Problem is the Email Subject: it contains name of the standard rule only, in our sample like this:
The body of the Email does have all the details needed, however when automatic email receivers are used this is of little help.
Thats why we need to change the Email Subject to something our service management tool can make use of.
How to achieve the changes needed in QRadar is documented in the admin guide.
This helps and we could end here, however in many cases problem begins right now. So what to do? Thats why I wrote this blog entry!
First of all: there are two possibilities for reacting on an offense. One is to respond to an event (or a series of events) shown as ID=78 for our SSH Login rule. The other option is to respond to offenses we have seen before but not acted on yet. Our offense screen showing ID=79-81 as test result:
As soon as the new Email template has been extended with our new subtemplates for offense and event type email response, it can be selected in our rule (My Event)
rule wizard response action for event:
the values provided for severity, credibility and relevance are for testing only! Please use the standard values for production.
The response limit can be adjusted to your needs bit should not be less than one message per minute.
Now we go deep dive into our programming exercise. The documentaion outlines where the standard Email template can be found and how it can get customized. In this case it is sufficient to adjust the subject to our needs. An XML editor is helpful to prevent syntactical errors while editing.
The new Email template needs to get rolled out now for using it in our rule. This requires a two step process. Step 1 is using this script for copying the modified XML template into the staging area:
Step 2 is to deploy the new response to our systems:
Before testing all offenses should be closed first! Emails can be easily checked in CLI (command line interface).
For testing we use simulation data, which can be exported as CSV data from event log activity and replayed using logrun.pl script.
Emails automatically sent to root@localhost by our two rules:
Email response generated for Offense ID=78 (Ruletype = Event) and ID=81 (Ruletype = Offense):
download the modified template from here
https://my.hidrive.com/share/zi.b3vy1o9Have fun checking QRadar emails and tickets automatically generated by your preferred service management email receiver.