IBM Support

QRadar: How can you test email services from QRadar

Question & Answer


Question

Is there a way to test the mail server from QRadar to determine whether it is sending offenses or scheduled report emails?

Cause

Sometimes it is not apparent that QRadar is sending emails to the mail server. Offenses are emailed from the Processor that generated the response but reports come from the Console.

Answer

There is a way to test if a mail server is sending reports and offenses. This procedure allows you to log in to the mail server and run commands to help you determine whether the mail server is working properly.

Procedure to test email services from QRadar:

  1. Connect to the QRadar Console by using SSH.
  2. Scan your SMTP Server for open ports. 
    nmap -pT:25,465,587 <IP address>

Starting Nmap 6.40 ( http://nmap.org ) at 2023-08-10 08:25 EDT
Nmap scan report for <SERVERNAME> (xxx.xxx.xxx.xxx)
Host is up (0.00012s latency).
PORT    STATE  SERVICE
25/tcp  closed smtp
465/tcp closed smtps
587/tcp closed submission
  3. Connect to your email server from the QRadar Console that you are sending email from on the open port. 
    telnet IPADDRESS:PORT
    Or 
    openssl s_client -connect IP address:PORT -starttls smtp
    Note: Change the IP address and PORT to the required server details.
  4. At the email server's command prompt, type the EHLO command by using the name or IP address of the email server that is used by the QRadar appliance. 
    EHLO smtp.my_mail_server.com
  5. Type the Mail from line: 
    MAIL FROM: administrator@qradar.com
  6. Enter the email address that you want the email to be sent to: 
    RCPT TO: Account@email_address.com
  7. Enter the DATA command to begin entering the body of the email: 
    DATA
  8. Enter the body of the email. Type Enter and period . to end and send the email.
    Hello,
    This is a test email
    .
  9. Quit the session. 
    quit

Result: You should receive the test email from the account that is listed in the MAIL FROM field.


 

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
01 September 2023

UID

swg21988483

Page Feedback