TECHNICAL NOTE CONFIGURING CUSTOM EMAIL NOTIFICATIONS AUGUST 2012 When configuring rules in STRM, you can specify that each time the rule generates a response, an email notification is sent to recipients providing useful information, such as event or flow properties. These properties are specified in the alert-config.xml file, which is the default template. To meet the requirements of your organization, you can customize the content included in the email notification rule response. This technical note provides information on how to customize your email notifications. Unless otherwise noted, all references to STRM refer to STRM, STRM Log Manager, and STRM Network Anomaly Detection. References to flows do not apply to STRM Log Manager. This section includes the following topics: Customizing Email Notifications Example Configuration File Using Custom Parameters Accepted Parameters Customizing Email Notifications Step 1 Step 2 You must create a temporary directory in which you can safely edit your copy of the files, without risk of overwriting the default files. After you edit and save the alert-config.xml file, you must run a script that validates your changes. The validation script automatically applies your changes to a staging area, from where you can deploy the changes using the STRM user interface. To customize email notifications: Using SSH, log into STRM as the root user. Username: root Password: <password> To create a new temporary directory, type the following command: mkdir <directory_name>
2 TECHNICAL NOTE Step 3 Step 4 Step 5 Step 6 Where <directory_name> is the name of the temporary directory you use to edit copies of the default files. To copy the files stored in the custom_alerts directory to the temporary directory, type the following command: cp /store/configservices/staging/globalconfig/templates/ custom_alerts/*.* <directory_name> Where <directory_name> is the name of the directory you created in Step 2. Confirm the files were copied successfully: a To list the files in the directory, type the following command: ls -lah b Verify the following files are listed: alert-config.xml subject-default.vm body-default.vm Open the alert-config.xml file. For an example of the alert-config.xml file, see Example Configuration File. Optional. If you want to create multiple templates, copy the <template></template> property, including tags and the contents, and then paste it below the existing <template></template> property. NOTE You can add multiple templates, however, STRM only supports one event and one flow template type to be set to True in the Active property. Step 7 Step 8 Step 9 Edit the contents of the <template></template> property: a Specify the template type using the following XML property: <templatetype></templatetype> Where possible values include event or flow. This field is mandatory. b Specify the template name using the following XML property: <templatename></templatename> c Set Active property to true: <active>true</active> d Edit the Subject property, if required. e Add or remove parameters from the Body property. For more information on accepted parameters, see Accepted Parameters. f Repeat these steps for each template you want to add. Save and close the file. To validate and deploy your changes, type the following command: /opt/qradar/bin/runcustalertvalidator.sh <directory_name>
Example Configuration File 3 Step 10 Step 11 Step 12 Where <directory_name> is the name of the directory you created in the Customizing Email Notifications procedure. If the script validates the changes successfully, the following message is displayed: File alert-config.xml was deployed successfully to staging! File subject-customcalculate.vm was deployed successfully to staging! File body-customcalculate.vm was deployed successfully to staging! Log in to the STRM user interface. Click the Admin tab. Select Advanced > Deploy Full Configuration. Your custom email notifications are now complete. Rules that have an email notification set as the rule response will generate emails using the custom parameters you specified. Example Configuration File Example of the alert-config.xml file: <?xml version= 1.0 encoding= UTF-8?> <templates> <template> <templatename>default Event</templatename> <templatetype>event</templatetype> <active>true</active> <filename></filename> <subject> ${RuleName} Fired </subject> <body> The following is an automated response sent to you by the ${AppName} event custom rules engine: $[StartTime] Rule Name: ${RuleName} Rule Description: ${RuleDescription} Source IP: ${SourceIP} Source Port: ${SourcePort} SourceUsername: ${UserName} Source Network: ${SourceNetNoDefault} Destination IP: ${DestinationIP} Destination Port: ${DestinationPort} Destination Username: ${DestinationUserName} Destination Network: ${DestinationNetNoDefault} Protocol: ${Protocol}
4 TECHNICAL NOTE QID: ${Qid} Event Name: ${EventName} Event Description: ${EventDescription} Category: ${Category} DataSource ID: ${DeviceID} Device Name ${DeviceName} Payload: ${Payload} CustomPropertiesList: ${CustomPropertiesList} </body> <from></from> <to></to> <cc></cc> <bcc></bcc> </template> </templates> Using Custom Parameters Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 The accepted email notification parameters are listed in Table 1. To use the body.customproperty and body.calculatedproperty parameters, you must create a custom event or custom property. For more information, see the STRM Users Guide. Specify one of the following options: Property Name - where <Property Name> is the name used to create the custom property. Universally Unique Identifier (UUID) - to locate the UUID for a custom property: Log in to the STRM user interface. Click the Admin tab. Click the Custom Event Properties or Custom Flow Property icon. Select the custom property you want to add to your custom email notification. Click Edit. At the top of the Custom Event Property Definition or Custom Flow Property Definition window, the Universal Resource Locator (URL) is displayed. The UUID is the character string that follows the id= tag. In the following example, d3591e84-64eb-47e4-92f4-bc41155b81c7 is the UUID: https://charger/console/do/qradar/arielproperties?appname=qrada r&pageid=arielpropertieslist&dispatch=edit&id=d3591e84-64eb-47e 4-92f4-bc41155b81c7 Edit the custom email notification template contained in the alert-config.xml file. For more information, see Customizing Email Notifications. Add one or both of the following lines to the alert-config.xml file: body.customproperty (d3591e84-64eb-47e4-92f4-bc41155b81c7) body.calculatedproperty (d3591e84-64eb-47e4-92f4-bc41155b81c7)
Accepted Parameters 5 Where <d3591e84-64eb-47e4-92f4-bc41155b81c7> is the UUID you derived in Step 5. If you have configured custom properties and included custom parameters in your template, STRM will generate emails using the custom parameters you specified. Accepted Parameters The following parameters can be used in custom email notifications: Table 1 Accepted Notification Parameters Common Parameters Event Parameters Flow Parameters AppName EventCollectorID Type RuleName DeviceEventId CompoundAppID RuleDescription DeviceId FlowSourceIDs EventName DeviceName SourceASNList EventDescription DeviceTime DestinationASNList EventProcessorId DstPostNATPort InputIFIndexList Qid SrcPostNATPort OutputIFIndexList Category DstMACAddress AppId RemoteDestinationIP DstPostNATIPAddress Host Payload DstPreNATIPAddress Port Credibility SrcMACAddress SourceBytes Relevance SrcPostNATIPAddress SourcePackets Source SrcPreNATIPAddress Direction SourcePort SrcPreNATPort SourceTOS SourceIP DstPreNATPort SourceDSCP Destination SourcePrecedence DestinationPort DestinationTOS DestinationIP DestinationDSCP DestinationUserName SourceASN Protocol DestinationASN StartTime InputIFIndex Duration OutputIFIndex StopTime FirstPacketTime EventCount LastPacketTime SourceV6 TotalSourceBytes DestinationV6 TotalDestinationBytes UserName TotalSourcePackets DestinationNetwork TotalDestinationPackets SourceNetwork SourceQOS
6 TECHNICAL NOTE Table 1 Accepted Notification Parameters (continued) Common Parameters Event Parameters Flow Parameters Severity CustomPropertiesList body.customproperty("<uuid Property Name>") body.calculatedproperty("<uuid Property Name>") DestinationQOS SourcePayload DestinationPayload
Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000 www.juniper.net Copyright 2012 Juniper Networks, Inc. All rights reserved. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.