IBM QRadar SOAR

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

View Only

Back to discussions

Expand all | Collapse all

Integrate responses to emails as a note to an incident

1. Integrate responses to emails as a note to an incident

Like
Zohra SMAIL
Posted Mon July 15, 2019 04:53 AM

Reply
Hello team,

I am currently implementing a workflow that consists in resilient sending tasks by mail to users that would then send back responses by email to be integrated as a note as part of the incident life cycle.

I use the outbound-email package to send tasks, and this works fine for me so far. For the responses I used to use IRHUB service, but now, with the new parsing script, I wonder if it's still doable. Any insight on this would be very helpful.

Thanks in advance for your help.

------------------------------
Zohra SMAIL
------------------------------
2. RE: Integrate responses to emails as a note to an incident

Like
PATRICK MCKENNA
Posted Tue July 16, 2019 06:35 AM

Reply
Hello,
The IRHUB and associated scripts will not stop working.
What mechanism are you currently using to add the note to the task?
-P.J.

------------------------------
Patrick (PJ) McKenna
Resilient Development
------------------------------

Original Message
3. RE: Integrate responses to emails as a note to an incident

Like
Jared Fagel

IBM Champion
Posted Tue July 16, 2019 01:09 PM
Edited by Jared Fagel Tue July 16, 2019 01:14 PM

Reply
Hi, this is quite doable. I have this working in our environment.

The way we do it is as follows...

1. Append to start of subject line for all emails sent from Resilient:
'[Resilient Incident ID# ' + str(incident.id) + '] ' + str(rest_of_subject_here)

2. Create an email parser script for emails that come in containing '[Resilient Incident ID#' (indicating a reply) and adds the body and email info into a note, re-opening the incident if needed.

3. Create a rule that looks for emails containing '[Resilient Incident ID#' in the subject line.

You can see our full email parser script for this here on GitHub.

------------------------------
Jared Fagel
Cyber Security Analyst Intern
Public Utility
------------------------------

Original Message
4. RE: Integrate responses to emails as a note to an incident

Like
Zohra SMAIL
Posted Fri July 26, 2019 01:05 PM

Reply
Hello,

I stopped using irhub since I use an internal script for the incident creation.
@Jared, your script helped a lot. I adapted it to my environment and so far it is doing quite what I want it to do. Thanks.

------------------------------
Zohra SMAIL
------------------------------

Original Message

IBM QRadar SOAR

Integrate responses to emails as a note to an incident

Zohra SMAILMon July 15, 2019 04:53 AM

PATRICK MCKENNATue July 16, 2019 06:35 AM

Jared FagelTue July 16, 2019 01:09 PM

Zohra SMAILFri July 26, 2019 01:05 PM

1. Integrate responses to emails as a note to an incident

2. RE: Integrate responses to emails as a note to an incident

3. RE: Integrate responses to emails as a note to an incident

4. RE: Integrate responses to emails as a note to an incident

Additional
Resources

Office

Quick Links

IBM QRadar SOAR

Integrate responses to emails as a note to an incident

Zohra SMAILMon July 15, 2019 04:53 AM

PATRICK MCKENNATue July 16, 2019 06:35 AM

Jared FagelTue July 16, 2019 01:09 PM

Zohra SMAILFri July 26, 2019 01:05 PM

1. Integrate responses to emails as a note to an incident

2. RE: Integrate responses to emails as a note to an incident

3. RE: Integrate responses to emails as a note to an incident

4. RE: Integrate responses to emails as a note to an incident

Additional Resources

Office

Quick Links

Additional
Resources