IBM Security QRadar

 View Only

  • 1.  QRadar Email Notification

    Posted Thu November 03, 2022 11:37 AM

    Hello,
    I have configured Email server on the QRadar instance. When I performed a manual SMTP test, it works fine.
    However, when I try to trigger email notification via offense, it doesn't work. Please advise on how to fix this. 
    QRadar version: 7.4.2

    Thanks in advance.



    ------------------------------
    --
    Thanks and Best Regards,
    Siddarth
    ------------------------------


  • 2.  RE: QRadar Email Notification

    Posted Thu November 03, 2022 11:41 AM
    The local Event Processor is the host sending the email alert for a
    detection on a rule set to be detected by the LOCAL system, not the
    console (unless it is detected at the console :) or is GLOBAL rule. I
    know in my QRadar admin past i've often had to get all my Event and
    Flow Processor IPs or VIP IPs cleared by email administrators to get
    alerts through.

    Also confirm email settings and any required host files on all Qradar
    appliances to be applicable to the env.


    Original Message


  • 3.  RE: QRadar Email Notification

    Posted Thu November 03, 2022 12:12 PM
    Hello,
    This is a standalone instance - its just one ALL-IN-ONE instance. There are no managed hosts in the architecture.
    How can I fix the issue?

    ------------------------------
    --
    Thanks and Best Regards,
    Siddarth
    ------------------------------

    Original Message


  • 4.  RE: QRadar Email Notification

    Posted Thu November 03, 2022 12:15 PM
    Ok I have also needed a full deploy in the past to solve that issue.
    after that I run rule tests to make sure its firing


    Original Message


  • 5.  RE: QRadar Email Notification

    IBM Champion
    Posted Mon November 07, 2022 09:25 AM
    When testing email rules start with root@localhost in the 1st place. Double check local email using mail command line. After then send your email to your external server. Check rules on server so messages are not forwarded to email bin cause of internal rule like unknown sender domain or similar.

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------

    Original Message


  • 6.  RE: QRadar Email Notification

    Posted Mon November 21, 2022 09:35 AM

    What did you mean by "When I performed a manual SMTP test, it works fine"

    Can you provide tho output for nc command?
    nc mailserver used_port
    220 mailserver  Service ready at Mon, 21 Nov 2022 16:03:20 +0200

    Then write ctrl+c to terminate connection

    You also can try openssl command to diagnose your issue

    openssl s_client -connect mailserver:<used_port> -starttls smtp.


    I've got this issue but I forgot the sollution. As a temporary solution I recommend to use action script, because qradar have python smtplib:

    #!/usr/bin/python
    #-*-encode:utf-8-*-
    from os import system
    from sys import argv
    import smtplib

    def send(who,subj,mess):
    try:
    smtp = smtplib.SMTP('mailserver', 587)
    smtp.starttls()
    smtp.login("<your_mail_login>","password")
    #Defining The Message
    message = 'Subject: {}\n\n{}'.format(subj, mess)
    #Sending the Email
    smtp.sendmail("<your_mail_login>@domain.tld", who,message)
    smtp.quit()
    print ("Email sent successfully!")
    except Exception as ex:
    print("Something went wrong ....",ex)

    Use my code fragment to send mail.

    ------------------------------
    Bohdan
    ------------------------------

    Original Message