Refine your search by using the following advanced search options.

Criteria	Usage
Questions with keyword1 or keyword2	keyword1 keyword2
Questions with a mandatory word, e.g. keyword2	keyword1 +keyword2
Questions excluding a word, e.g. keyword2	keyword1 -keyword2
Questions with keyword(s) and a specific tag	keyword1 [tag1]
Questions with keyword(s) and either of two or more specific tags	keyword1 [tag1] [tag2]
To search for all posts by a user or all posts with a specific tag, start typing and choose from the suggestion list. Do not use a plus or minus sign with a tag, e.g., +[tag1].

Ask a question

Trigger Qradar Offense when email is received

Question by mac.benson (54) | Apr 30, 2018 at 12:42 PM qradar technote email syslog swg21969815

Is there a way to fire a Qradar offense when an email is received for a specific email account? I've been looking around for bash scripts that would save email to a flat text file, but was wondering if anyone else has done this?

Answer by Cuong Do (31) | May 02, 2018 at 01:27 AM

Yes, You can create the custom properties (sender/recipent) for mail log source (i.e : Exchange Mailbox, Zimbra mail). Rule Wizard support conditional like " and when any of these event properties are contained in any of these reference set(s)"

"and when any of these properties match this regular expression"

You should combine one of above conditional with event name (qid) match with mail sent/received

If you don't like create new custom properties, you can use this conditional " and when the Event Payload contains this string"

0 Share

Trigger Qradar Offense when email is received

1 reply

Follow this question

Trigger Qradar Offense when email is received

1 reply

Follow this question

Related questions