IBM Support

(PRIVATE) QRadar: How can you test email services from QRadar

Question & Answer


Question

Is there a way to test the mail server from QRadar to determine whether it is sending offenses or scheduled report emails?

Cause

Sometimes it is not apparent that QRadar is sending emails to the mail server. Offenses are emailed from the processor (EP) that generated the response but reports come from the Console.

Answer

There is a way to test if a mail server is sending reports and offenses. Using this procedure, you can log in to the mail server and run commands to verify that it is functioning properly.

Procedure to test email services from QRadar:

  1. Connect to the QRadar Console by using SSH.

  2. Scan your SMTP Server for open ports.

    nmap -pT:25,465,587 <IP address>

Starting Nmap 6.40 ( https://nmap.org/ ) at 2023-08-10 08:25 EDT
Nmap scan report for <SERVERNAME> (xxx.xxx.xxx.xxx)
Host is up (0.00012s latency).
PORT    STATE  SERVICE
25/tcp  closed smtp
465/tcp closed smtps
587/tcp closed submission
     

  3. Connect to the email server from the QRadar Console that you are sending email from on the open port.

    For non-encrypted communication (allowed in a local network only if port 25 is still open)

    # nc [MAIL SERVER IP ADDRESS] 25

    Or (more common nowadays) using encrypted communication over SSL or TLS

    # openssl s_client -starttls smtp -connect [MAIL SERVER IP ADDRESS]:587
or
# openssl s_client -connect [MAIL SERVER IP ADDRESS]:465
    Note: Change the [MAIL SERVER IP address] to the required server details.

  4. At the email server's command line, type the EHLO command by using the hostname or the IP address of the email server that is used by the QRadar appliance.

    EHLO smtp.my_mail_server.com

    You can see something similar in the output:

    250-smtp.my_mail_server.com
250-8BITMIME
250-PIPELINING
250-SIZE 31457280
250-AUTH LOGIN
250 AUTH=PLAIN LOGIN
  5. You might be asked to log in to the mail server (depending on the server configuration), which can be done by using either the PLAIN or AUTH command. If there are no authenticated local mail servers, proceed directly to step 7.

  6. In a separate command line, connect to the QRadar Console by using SSH and convert your email username and password to Base64 encryption format:

    # echo -ne "\0username\0password" | base64
AHVzZXJuYW1lAHBhc3N3b3Jk 

back to your main mail session
AUTH PLAIN AHVzZXJuYW1lAHBhc3N3b3Jk
235 Authentication successful

    Alternatively, for the AUTH LOGIN, you need two separate Base64 strings, so do the conversion twice:

    # echo -ne "username" | base64
dXNlcm5hbWU=
# echo -ne "password" | base64
cGFzc3dvcmQ=

back to your main mail session
AUTH LOGIN
334 VXNlcm5hbWU6
dXNlcm5hbWU=
334 UGFzc3dvcmQ6
cGFzc3dvcmQ=
235 Authentication successful

  7. When you log in to the Mail server, type the Mail command from the line:

    MAIL FROM: administrator@qradar.com

  8. Enter the email address that you want the email to be sent to:

    RCPT TO: Account@email_address.com

  9. Enter the DATA command to begin entering the body of the email:

    DATA
  10. Enter the body of the email. Type Enter and period . to end and send the email.
    Hello,
    This is a test email
    .

  11. Quit the session.

    quit
     


Result: You should receive the test email from the account that is listed in the MAIL FROM field.

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
01 September 2023

UID

swg21988483

Page Feedback