MustGather: Information to collect when troubleshooting Issues with IBM Security QRadar SOAR Inbound Email

Resolving The Problem

• Run sudo resPackageLogs -l 7 (on-premises only)
  • What time zone is the server set to use?
• Describe the problem providing screen shots and other contextual information so the problem can be accurately relayed to IBM Support
• Take multiple screen grabs, ensuring you display all pages from the inbound email configuration
• Is the email shown in the SOAR Inbox when it should not?
  • Download the email from the SOAR Inbox using the instructions here
  • Take a screen grab of the SOAR Inbox and identify the affected email
  • Provide the value from the ID column as seen in the SOAR Inbox
  • If you use an email parsing script copy the script into a text file and upload to the case
    • Can you successfully run the email parsing script manually on the affected email?
      • Is the email removed from the SOAR Inbox?
• What date, time did the problem occur?
  • What time zone is the reported time?
• What is the affected email's message ID?
  • See View internet message headers in Outlook for details of how to get this information
  • Seek support from your internal team if necessary
• Does the affected email show as unread in your email client?
• Download the affected email in .eml or .msg format from your email client
• What email server software do you use?
• Is your email server on premises or in the cloud?
• What protocol are you using to connect?
  • IMAP, EWS or OAuth
• Are you using a shared email account?
• Do you use a proxy? (on-premises only)
  • Does the proxy perform SSL inspection?
  • Ensure the proxy allows access to
    • login.microsoftonline.com
    • outlook.office365.com
  • Do you use OAuth?
    • Run the cURL command in How to troubleshooting Inbound email connection issue while using OAuth protocol to check the credentials and connections work as expected
  • Do you use EWS ?
    • Run cURL command to test connection between SOAR and email server
      • curl -v -u '<email id>':'<password>' -L https://<email server>/EWS/Exchange.asmx -H "Content-Type:text/xml"
• Check that the certificate is correct
  • Download the certificate from email server

    • openssl s_client -connect <HOST>:<PORT> -showcerts

  • Alternatively, use this command to return all the certificates in a chain.

    • keytool -printcert -rfc -sslserver {server}:<port> > cacerts.pem

  • Some SMTP servers that use STARTTLS  might need you to run a slightly different command. This command tells openssl to use the STARTTLS command before starting TLS. Remember, if it is a chain you need to copy the certificates manually.
    • openssl s_client -starttls smtp -connect <HOST>:<PORT> -crlf -showcerts

• Upload all data to the case