Troubleshooting
Problem
How to incorporate the offense ID in the email generated by a rule.
Cause
Only an Offense Rule will include Offense ID. Event or Common Rules do not. The Event or Common Rule are used to generate the Offense, but since the Offense is only created after the rule is fired it will not have an Offense ID therefore cannot be included in the email generated by the Offense.
Resolving The Problem
To have the Offense ID included in an email requires creation of a separate Offense rule. The Offense Rule can watch for any Offenses being created by the Event or Common Rule and send an email when an Offense is created. At this point, since the Offense is already created, it has an Offense ID, therefore the email generated by the Offense Rule will include the Offense ID.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GncCAAS","label":"QRadar->Rules"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
02 April 2020
UID
swg21695697