IBM Security QRadar SOAR

 View Only
  • 1.  Send email reply to "Original ingested email" - Maintaining Mail thread

    Posted Wed February 09, 2022 08:46 AM
    Hello,

    Using Outbound email connector, is it possible to send out an email as reply to Original email that ingested in resilient and created an incident?
    the flow is :
    1- ingesting emails in resilient.
    2- parse it and create an incident.
    3- "the needed action" - Send an email as a reply to the original email as acknowledgment of receiving the raised request.

    Currently I am sending some data from Original email, in a new email to be used as a refence to the sender - like info. of what this acknowledgement is about.
    Any Ideas to achieve a real reply email please?


    ------------------------------
    ahmed abushanab
    ------------------------------


  • 2.  RE: Send email reply to "Original ingested email" - Maintaining Mail thread

    Posted Thu February 10, 2022 02:14 AM
    Dear Ahmed,
    I am not able to reach my test environment but I believe this method will be helpful for you:

    You have already created an incident based on the received e-mail. So you have the body, attachments, subject and sender e-mail address in your incident. 

    You can create an Rule (incident rule) and refine your rule conditions to match those type of incidents (like incident name, incident type, sender e-mail etc.)

    This Automatic Rule can trigger a simple workflow which collects information from the incident if necessary and call Outbound Email Sending function to send and e-mail to original sender of the initial e-mail. 

    You can add a note to the same incident with the content of the outbound email sent. So that you can track the history in the Notes tab of the same incident.

    I am away from my test environment so I could not create a demonstration yet. I hope the idea helps.

    Best
    Aydin Kucukkarakas

    ------------------------------
    Aydin Kucukkarakas
    ------------------------------



  • 3.  RE: Send email reply to "Original ingested email" - Maintaining Mail thread

    Posted Mon February 14, 2022 06:53 AM
    Hi Aydin,
    Thank you,

    This can keep the history of the case, but not an actual reply to the email.
    I know it would be more of mail server task to keep record of the email and it's related replies, but thought it could have been requested from other clients.
    And may be it is achievable.

    Regards,

    ------------------------------
    ahmed abushanab
    ------------------------------



  • 4.  RE: Send email reply to "Original ingested email" - Maintaining Mail thread

    Posted Mon February 14, 2022 08:50 AM
    Hi Ahmed,
    If you want to keep the replies to the email in the case, simply set up a new Parsing script that reads the title of the reply, as long as it contains the Incident ID, using query builder you can associate the replies with the original email message. There  is an example of this in the Generic Email parsing script.
    Regards,

    ------------------------------
    Elizabeth Hecht
    ------------------------------



  • 5.  RE: Send email reply to "Original ingested email" - Maintaining Mail thread

    Posted Tue February 15, 2022 12:41 AM
    Hi Elizabeth,

    I am already having the replies from user in the notes, I wanted to send out a reply with OEC, to the original Ingested email, and keep it as a reply from Resilient in his mail thread, so that the original sender will easily know all the history in one mail thread (ack, approval, resolution, ..etc).


    ------------------------------
    ahmed abushanab
    ------------------------------



  • 6.  RE: Send email reply to "Original ingested email" - Maintaining Mail thread

    Posted Tue February 15, 2022 12:43 AM
    Hi Ahmed,

    There is an RFE which is related to email improvements. You may vote it or add something. Link

    If i catched the question correctly, you want to reply email after processing with inbound email script and want to keep email transaction in email server as regular messaging procedure, not just in SOAR. 

    I haven't needed that action yet but if i need it, i would make some changes in Outbound Email App like below.

    mail_data = {}
    mail_data['mail_from'] = mail_from
    mail_data['mail_to'] = FunctionComponent.split_string(mail_to)
    mail_data['mail_cc'] = FunctionComponent.split_string(mail_cc)
    mail_data['mail_bcc'] = FunctionComponent.split_string(mail_bcc)
    mail_data['mail_subject'] = mail_subject
    mail_data['mail_attachments'] = self.process_attachments(inc_id=mail_incident_id, attachments=mail_attachments)
    
    # You may add some extra fields like below to handle it.
    mail_data['mail_subject'] = "RE: " + mail_subject
    mail_data['Message-ID'] = ...
    mail_data['In-Reply-To']​ = ...


    For details, RFC2822 & Python Email Lib

    But editing external app may has some disadvantages, like overwriting after update... So i would prefer to write own app to do it.



    ------------------------------
    Burak Karaduman
    ------------------------------



  • 7.  RE: Send email reply to "Original ingested email" - Maintaining Mail thread

    Posted Fri April 22, 2022 02:10 AM
    Thanks Burak,

    Appreciate your support and provided input, yes I believe it is the most relevant reply that addresses the usecase here.
    I see that now, I may need to do two tasks:
    1- Extraction of the Message-ID from the Original Ingested email, and use it in association with In-Reply_to field in the OEC to be able to link my email as reply to the Original escalated email to SOAR.

    I'll workout out, and hopefully it works.

    Thank you :)


    ------------------------------
    ahmed abushanab
    ------------------------------