IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Email Parsing Script - change Incident Type

  • 1.  Email Parsing Script - change Incident Type

    Posted Wed April 01, 2020 10:32 AM
    Hi,

    I am currently trying to cutomize the email parsing script.

    Now one issue I face is that I haven't found yet a way to manipulate the indicent_type_ids field when creating the incident.

    The function 
    emailmessage.createAssociatedIncident(newIncidentTitle, newIncidentOwner)
    only takes title and owner parameters but no type.
    Is there a way to overload this function?
    Actually where do I find the code for this function?

    Sorry for all these questions but I've just started to dig into playbook design.
    So if there is a guide oder documentation for this please just let me know.


    ------------------------------
    Best,
    Achim
    ------------------------------


  • 2.  RE: Email Parsing Script - change Incident Type

    Posted Thu April 02, 2020 05:49 AM
    Hi Achim

    You should find the answer in the documentation that goes with the email parser script on the app exchange:
    https://exchange.xforce.ibmcloud.com/api/hub/extensionsNew/a0f044e3bd8cc36bd55c7eb9b7147177/ExampleEmailParsingScripts.pdf

    # Add "Phishing" as an incident type for the associated incident
incident.incident_type_ids.append("Phishing")


    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------

    Original Message


  • 3.  RE: Email Parsing Script - change Incident Type

    Posted Thu April 02, 2020 06:25 AM
    Thank you very much for the information.

    I also figured out, that the version of this script I have is 32.2... so this line is not in my current version.

    I'll update the script accordingly.

    Thanks,

    ------------------------------
    Achim Quehenberger
    ------------------------------

    Original Message


  • 4.  RE: Email Parsing Script - change Incident Type

    Posted Fri April 10, 2020 11:12 AM
    Edited by Achim Quehenberger Fri April 10, 2020 11:12 AM
    Hi!

    Unfortunatel this didn't work.

    I added the line 
    incident.incident_type_ids.append("Phishing")

    Just to receive the below error message.

    But this is something I actually still have an issue with: Is there any overall documentation of the Resilient Python libraries? So like some documentation where I can read what classes are there, what kind of function and fields those classes have ... and so on...
    For example I don't want to append another incident type, I want to predefine it an overload the function
    "emailmessage.createAssociatedIncident(newIncidentTitle, newIncidentOwner)"
    where I can pass 3 parameters instead of just title and owner...like
    "emailmessage.createAssociatedIncident(newIncidentTitle, newIncidentOwner,newIncidentType)"


    Is there such a documentation or a wiki like this available?

    Thanks
    Achim


    ------------------------------
    Achim Quehenberger
    ------------------------------

    Original Message


  • 5.  RE: Email Parsing Script - change Incident Type

    Posted Sun April 12, 2020 10:42 AM
    Got the same error with "append" :( and did open a ticket)

    As a workaround, I propose you to test the following line at the END of the email script (for me line 577) , and it did work on my script.
    incident.incident_type_ids = list(incident.incident_type_ids) + ["Phishing"]

    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------

    Original Message


  • 6.  RE: Email Parsing Script - change Incident Type

    Posted Wed April 15, 2020 02:10 AM
    Hello!

    Make sure the value "Phishing" exists in the list of  incident.incident_type_ids field value in customization settings because for me the following has always worked:

    incident.incident_type_ids = "Phishing"

    Hope this help

    ------------------------------
    Zohra SMAIL
    ------------------------------

    Original Message


  • 7.  RE: Email Parsing Script - change Incident Type

    Posted Wed April 15, 2020 03:49 AM
    Hello!

    Yes it is in this list. "Phishing" ist just an example I have other values for the incident types as example e.g.
    "UC-001 Phishing Email"

    I created this incident type and copy pasted it into the script. Did not work. 

    The line from Benoit Rostagni did work! Thanks for that!

    ------------------------------
    Achim Quehenberger
    ------------------------------

    Original Message


  • 8.  RE: Email Parsing Script - change Incident Type

    Posted Thu April 23, 2020 12:15 PM

    I have found the issue, it depends on where you add the line !

    If you follow current documentation
    https://www.ibm.com/support/knowledgecenter/SSBRUQ_36.0.0/doc/playbook/script_eample_custom.html

    ###
    Mainline starts here
    ###

    # Add "Phishing" as an incident type for the associated incident
    incident.incident_type_ids.append("Phishing")

    it does not work as "incident" is not defined. It is defined below on line 537:
    incidents = helper.findIncidents(query)

    So you need to place it AFTER line 537, and it seems not documented correctly.
    So, not a bug, but a default in Documentation.



    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------

    Original Message


  • 9.  RE: Email Parsing Script - change Incident Type

    Posted Thu April 23, 2020 01:09 PM

    I have found the issue, it depends on where you add the line !

    If you follow current documentation
    https://www.ibm.com/support/knowledgecenter/SSBRUQ_36.0.0/doc/playbook/script_eample_custom.html

    ###
    Mainline starts here
    ###

    1. Add "Phishing" as an incident type for the associated incident
      incident.incident_type_ids.append("Phishing")

    it does not work as "incident" is not defined. It is defined below on line 537:
    incidents = helper.findIncidents(query)

    So you need to place it AFTER line 537, and it seems not documented correctly.
    So, not a bug, but a default in Documentation.



    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------

    Original Message


  • 10.  RE: Email Parsing Script - change Incident Type

    Posted Fri April 24, 2020 03:25 AM
    Good morning,

    Actually incident seems to be defined as I added your proposal 
    incident.incident_type_ids = list(incident.incident_type_ids) + ["Phishing"]
    after that line. And there incident is recognized. This solution worked fine. Thanks for that.

    But the line you mention above defines a "list" called incidents (with an s at the end) and not an object of the type "incident". 
    This list holds "all" incidents with the incident name you'd like to create at this moment. line 537 just creates this list to check in line 539 if this list is empty (then a new incident should be created) or if there is already an incident with that name (then it will associate the Email with the existing incident)

    Because when I try this:

    incidents.incident_type_ids.append(newIncidentType) I get the following error:

    (the line number is different in my script as I already coded some additional functions in the script, but we're talking about the same section)


    ------------------------------
    Achim Quehenberger
    ------------------------------

    Original Message


  • 11.  RE: Email Parsing Script - change Incident Type

    Posted Fri April 24, 2020 10:08 AM
    You are correct, so it is not because of  line 537:
    incidents = helper.findIncidents(query)

    But it is because of another (unknown) reason !
    If I place
    incident.incident_type_ids.append("Phishing")
    at the LAST line... it works !

    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------

    Original Message


Related Content