Qradar Custom Email Notification

 IBM announced Support for multiple Email custom notification with Qradar 7.2.6


After a quick review, we can notice the Custom properties in 7.2.6 in nowhere to find.

Meaning we can’t add “Custom” indexes to our Mail templates.

For example we are monitoring sensitive groups, we can shape a new mail notification, but we can add only general information.


User Momi removed Member from sensitive group.
When we get the alert, we see an event name (Member removed from group),
the username is Momi.

Which group? Who is the member that has been removed from the group?

Those are custom fields which are not shown on general email notification.

Lucky for us IBM Qradar Email Documentation on qradar 7.2.1 is referring to Custom properties.

After some tests and help from a friend (thank you Omri) we have figured how this works.

I’ll show here the text and some examples.

Which group? What is the virus name?

We need the Custom properties to be able to see the full picture of the incident.

Without the custom properties we can’t see the name of the virus or the infected hostname.

Qradar 7.2.1 Documentation explaining email template and custom fields. – LINK

Text Example for alert-config.xml


                  <templatename>General Rule – Windows  </templatename>




                  <subject> ${RuleName} Security Alert </subject>



                                                      [Rule Name]  ${RuleName}

                                                      [Category]:     ${Category}

                                                      [Event Name]:         ${EventName}

                                                      [Event Description]:   ${EventDescription}


                                                      [Offense Time]  ${StartTime}


                                                      [Rule Description]  ${EventDescription}

                                                      [Log Source Name]:  ${LogSourceName}


                                                      [Action Performed by]:  ${UserName}

                                                      [Group Changed] : ${body.CustomProperty(“Group Name”)}

                                                      [Targeted User] : ${body.CustomProperty(“Group Account Name”)}


                                                       [Source Port]: ${SourcePort}

                                                      [Source ip]:   ${SourceIP}

                                                      [Source Network]: ${SourceNetwork}


                                                      [Destination Port]:  ${DestinationPort}

                                                      [Destination IP]:  ${DestinationIP}

                                                      [Destination Network]:  ${DestinationNetwork}


                                                      [Log Source Name]:      ${LogSourceName}

                                                      [Payload]:  ${Payload}




Template Examples:  alert-config.xml

As always you are welcome to comment or send an email to gregorin[@]qmasters.co

About qmasters

QMasters was founded in 2015 to help Israeli governmental, military, niche security, and municipality offices protect themselves from cyber-attacks. As the cyber security threats grow year after year, so does our list of customers. We are a team of 30+ security experts committed to solving security challenges with the right combination of strategies and technologies.

you might also like:

ClearPass Vulnerability Alert

Aruba has informed us about a new security advisory for...

VIDEO: Carbon Black Webinar - Investigating an Incident

This video link has expired. Please contact Michelle at michelled@qmasters.co...

1 2 3 6

Join our newsletter!


linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram