IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Phishing Playbook

    Posted Mon October 16, 2023 01:48 PM

    hello community,

    i am trying to create a phishing playbook for that i configured inbound email connection, add script to extract artifact and rule to automatically create incident whenever i have email on inbox,

    Now i want to know how can i call that specific incident in playbook which was created from mailbox to inform the relevant team about this incident along with attached artifacts.





    ------------------------------
    Umair Khan
    ------------------------------


  • 2.  RE: Phishing Playbook

    Posted Tue October 17, 2023 10:33 AM

    Hi Umair,

    I don't know if this could help you but here is how I would do it.

    In your script, you should have the emailmessage.createAssociatedIncident(...,...) operation.  After this operation,  the top-level incident variable is set so you can assign it an incident type like this:

    incident.incident_type_ids = "Phishing"

    Now, you could create a new automatic playbook with the following conditions:  "incident is created" and "incident.incident_type_ids = "Phishing".

    When the script finishes treating the received email, the new created incident will start your phishing playbook.

    You can also add a Notification with a similar condition:  Incident type is equal to "Phishing" and have it sent to the owner you specified in the second parameter of the createAssociatedIncident operation, which is probably the name of a group.

    HTH



    ------------------------------
    Pierre Dufresne
    ------------------------------

    Original Message