IBM Security QRadar

I assigned "Alert Email From Address" to certain email "qradar@exampledomain.com" to send emails from it.

But this username "qradar" fires Too many authentication failed offenses "Multiple Authentication failed from same username to same destination"

this email password expiration is 'never expire'.

So how I eliminate these false-positive hits , Is there a way to troubleshoot?

Should I reconfigure the email password , How?
or exclude the username from the rule?,   or what else i could do?

Thanks in advance

Ahmed,

the from address you specifiy in system settings should match your Qradar host name . When you change it here make sure the hostname can be resolved correctly. No email password expiration involved here when sending to root@localhost. If you are using alert-config.xml to send emails to, al type of offenses will show up depending on email alert policy. Default policy will report "Multiple Authentication failed from same username to same destination" as usual. False Pos needs tuning. Pls look at https://www.youtube.com/watch?v=xhrYeD3Pxiw as a starting point. Includes way to troubleshoot. Easiest way to troubleshoot your policies is to use logrun.pl to import your exported log payload. Pls see Jose at https://www.youtube.com/watch?v=LHv6_JjhFU4

Email password is ok. Dont change qradar password as long as you dont need. When you do use admin tab. Of course you can white list qradar user using a NOT condition. 

I assigned "Alert Email From Address" to certain email "qradar@exampledomain.com" to send emails from it.

But this username "qradar" fires Too many authentication failed offenses "Multiple Authentication failed from same username to same destination"

this email password expiration is 'never expire'.

So how I eliminate these false-positive hits , Is there a way to troubleshoot?

Should I reconfigure the email password , How?
or exclude the username from the rule?,   or what else i could do?

Thanks in advance