IBM Security QRadar SOAR

 View Only
  • 1.  Using EmailMessage object

    Posted Mon October 04, 2021 03:25 PM

    Is it possible to attach the actual email to an incident using the EmailMessage object?
    For example, our SOAR is monitoring phish@xyz.com and an email is received.
    The script (as I found in the ibmresilient resilient-scripts github) will run and create the incident. 

    I would like for the actual email itself to be added to the created incident as an attachment.
    Is this possible?



    ------------------------------
    Tim Gray
    ------------------------------


  • 2.  RE: Using EmailMessage object

    Posted Tue October 05, 2021 09:29 AM
    Edited by System Thu November 11, 2021 11:15 AM
    Hi Tim,
    Thank you for using the Community. The default out of the box email parsing script adds the email message(s) directly to the incident using the following syntax:
    • Associates the email message with the new incident.
      emailmessage.associateWithIncident(incidents[0])

    More information about the process is available here:
    https://www.ibm.com/docs/en/rsoa-and-rp/37?topic=scripts-associating-email-messages-incidents
    You simply need to add the email widget in order to see the email messages which have been associated with the incident:
    https://www.ibm.com/docs/en/rsoa-and-rp/37?topic=email-lesson-5-adding-tab-layouts



    ------------------------------
    Elizabeth Hecht
    ------------------------------



  • 3.  RE: Using EmailMessage object

    Posted Tue October 05, 2021 12:42 PM
    Thank you Elizabeth.
    Is there a way for the email widget to allow the user to view the email itself or possibly download it?
    Just being able to see the email sender, subject, ... doesn't seem overly helpful to an analyst when researching phishing incidents.

    ------------------------------
    Tim Gray
    ------------------------------



  • 4.  RE: Using EmailMessage object

    Posted Wed October 06, 2021 03:26 AM
    Hello
    Once an incident is created from inbound email, the mail messages can be downloaded from E-mail tab. (apologies to the image in Japanese)


    ------------------------------
    Yohji Amano
    ------------------------------



  • 5.  RE: Using EmailMessage object

    Posted Wed October 06, 2021 11:46 AM
    I see now. I didn't have the permissions set for the user to download the emails.
    Thanks!
    I do wish it would download as an email file (eml or msg) rather than just a txt file, but I can live with this.

    ------------------------------
    Tim Gray
    ------------------------------



  • 6.  RE: Using EmailMessage object

    Posted Tue October 12, 2021 06:05 PM
    This took me longer to realize than I wish to admit, but even though it's a .txt when downloaded, it's really an email file (.eml).

    This was brought to the SOAR team a couple years ago as part of the idea to have emails be attached to incidents, but they chose not to deliver the .eml download portion because of concern regarding content (opening phishing emails). I thought this was a funny stance with the primary SOAR user base being security analysts. I would upvote another idea to have this re-looked at. Ref: https://2e4ccba981d63ef83a875dad7396c9a0.ideas.aha.io/ideas/R-I-451

    Does your phish reporting method not attach the raw phishing email to reports so you can see headers and such? I believe this is how most of us have it happening (email comes into the mailbox that has the phish attached as a .eml file, the .eml is added as an incident attachment, parsed, etc.).

    ------------------------------
    Jared Fagel
    Cyber Security Analyst
    ALLETE Inc.
    ------------------------------



  • 7.  RE: Using EmailMessage object

    Posted Wed October 13, 2021 05:34 PM
    I am wondering if this is not possible in Rest API using the Rest point docs/rest-api/ui/index.html#/EmailREST ?

    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------