IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Customaction and sendmail

    Posted Wed September 11, 2024 10:36 AM

    Hi,

    I am looking to send an email to a user when a QRadar event rule fires for that user

    I have looked at custom action scripts and I can see that I can run a script passing in the username variable for that event

    However, I seem to be having problem using the sendmail command int he script with a command not found error, on testing

    If I run the sendmail command from the command line at /opt/qradar/bin/ca_jail/ustom_action_scripts directory, the email sends fine. If I try to run the deployed script in that same location I get a command not found error for sendmail

    I guess that the jail location is unable to access sendmail. Is there an alternative mail option I can use in a custom action script or is that an alternative way to email a variable user from a fired event?



    ------------------------------
    Andrew
    ------------------------------


  • 2.  RE: Customaction and sendmail
    Best Answer

    Posted Wed September 11, 2024 11:17 AM

    You can do this with a Python script, something like this should get you started.

    #!/usr/bin/python3

    from smtplib import SMTP

    smtp_server = '192.168.1.2'
    smtp_port = 25
    from_addr = "qradar@example.com"
    to_addr = "analyst@example.com"
    subject = "Mail from QRadar"

    message_body_list = ['First Line of the email', '']
    for x in range(6):
        message_body_list.append("Additional line {0}".format(x + 1))
    message_body_list.append('')
    message_body_list.append('Last line of the email')

    smtp_data_list = [
        "From: {0}".format(from_addr),
        "To: {0}".format(to_addr),
        "Subject: {0}".format(subject)
    ]
    smtp_data_list.append("")
    smtp_data_list.extend(message_body_list)

    smtp_data = "\n".join(smtp_data_list)

    #
    # Send the email :-)
    #
    my_smtp = SMTP()
    my_smtp.connect(smtp_server, smtp_port)
    my_smtp.sendmail(from_addr, to_addr, smtp_data)
    my_smtp.quit()



    ------------------------------
    Paul Ford-Hutchinson
    ------------------------------

    Original Message


  • 3.  RE: Customaction and sendmail

    Posted Thu September 12, 2024 03:20 AM

    Hi Paul,

    Thank you for that tip, tried it and it works perfectly. Just need to tweak it a bit now to get the username value in but that should be simple enough

    Much appreciated for your help



    ------------------------------
    Andrew Renouf
    ------------------------------

    Original Message


  • 4.  RE: Customaction and sendmail

    Posted Thu September 12, 2024 09:18 AM

    In the rule itself one of the actions can be send email to a specific destination.  What you cannot do is to change the sender address.  It uses whatever the global setting it.  

    Doesn't sound like to me you need a custom action. 



    ------------------------------
    Frank Eargle
    ------------------------------

    Original Message


  • 5.  RE: Customaction and sendmail

    Posted Thu September 12, 2024 09:28 AM

    Hi Frank,

    How would you do that? I can only see one email Rule Response, which only allows you to specify one specific email address and an event template. I can't see any way to send an email to multiple different users based on the user that caused the event to fire



    ------------------------------
    Andrew Renouf
    ------------------------------

    Original Message


Related Content