Qradar Custom Email Notification

 IBM announced Support for multiple Email custom notification with Qradar 7.2.6

After a quick review, we can notice the Custom properties in 7.2.6 in nowhere to find.

Meaning we can’t add “Custom” indexes to our Mail templates.

For example we are monitoring sensitive groups, we can shape a new mail notification, but we can add only general information.


User Momi removed Member from sensitive group.
When we get the alert, we see an event name (Member removed from group),
the username is Momi.

Which group? Who is the member that has been removed from the group?

Those are custom fields which are not shown on general email notification.

Lucky for us IBM Qradar Email Documentation on qradar 7.2.1 is referring to Custom properties.

After some tests and help from a friend (thank you Omri) we have figured how this works.

I’ll show here the text and some examples.

Which group? What is the virus name?

We need the Custom properties to be able to see the full picture of the incident.

Without the custom properties we can’t see the name of the virus or the infected hostname.

Qradar 7.2.1 Documentation explaining email template and custom fields. – LINK

Text Example for alert-config.xml


                  <templatename>General Rule – Windows  </templatename>




                  <subject> ${RuleName} Security Alert </subject>



                                                      [Rule Name]  ${RuleName}

                                                      [Category]:     ${Category}

                                                      [Event Name]:         ${EventName}

                                                      [Event Description]:   ${EventDescription}


                                                      [Offense Time]  ${StartTime}


                                                      [Rule Description]  ${EventDescription}

                                                      [Log Source Name]:  ${LogSourceName}


                                                      [Action Performed by]:  ${UserName}

                                                      [Group Changed] : ${body.CustomProperty(“Group Name”)}

                                                      [Targeted User] : ${body.CustomProperty(“Group Account Name”)}


                                                       [Source Port]: ${SourcePort}

                                                      [Source ip]:   ${SourceIP}

                                                      [Source Network]: ${SourceNetwork}


                                                      [Destination Port]:  ${DestinationPort}

                                                      [Destination IP]:  ${DestinationIP}

                                                      [Destination Network]:  ${DestinationNetwork}


                                                      [Log Source Name]:      ${LogSourceName}

                                                      [Payload]:  ${Payload}




Template Examples:  alert-config.xml

As always you are welcome to comment or send an email to gregorin[@]


Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
Subscribe to “Cyber by QMasters” to stay in-the-know!
Don’t worry, it’s once a month.

Contact Us.