IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

Email incident changes on a note

  • 1.  Email incident changes on a note

    Posted Thu January 23, 2020 04:34 AM
    Hello,

    I'm using the "Email message parsing script". It works fine. But I want to add another functionality. How can I insert the email incident changes into notes? For example: when I got a response of that email, adds more info to artifacts, but I want to see in notes the response. Can be that possible? Could be possible by modifying this script? 
    headers = ""
    for header in emailmessage.headers:
      headers += "\n'" + header + "': ["
      for i, value in enumerate(emailmessage.headers[header]):
        if i > 0: headers += ", "
        headers += u"'{}'".format(value)
      headers += "]"
    incident.addNote(unicode("=== EMAIL HEADERS ===" + headers)


    ------------------------------
    Aitor Vivanco Sata Cruz
    ------------------------------


  • 2.  RE: Email incident changes on a note

    Posted Fri January 24, 2020 11:19 AM
    It sounds like you want to add the message body of the reply to the notes of the existing incident.  If that's correct, here's what I did.  After the script matches an existing incident and associates the email with it, you can use the following lines:

    incident.addNote( "=== Email Body from " + emailmessage.from.address + " ===\n" + emailmessage.body.content )
    log.info("Adding artifact for Email Body")

    ------------------------------
    Brian Mathias
    ------------------------------

    Original Message