IBM Security QRadar SOAR

Hello,

We are using the inbound email option to retrieve messages from a phishing mailbox into the SOAR. To have the original email added as an .eml to the case we use the "Exchange Online write message as attachment" function.

Issue:

The issue we are facing that in some cases, there is a function error and the original email is not added as an attachment. The error output is attached.

Does anyone know how to solve this issue? Or how we can further troubleshoot this?

Regards,
Stef

------------------------------
Stef Bisschop
------------------------------

The error log shows this error coming back from the Resilient server:

Conflict: {"error_code":"generic","hints":[],"message":"Conflict","success":false,"title":null}

This means that the API request did not succeed because there was a change on the object between the time the code retrieved the data and then did a POST to update it. I agree it seems strange that adding an attachment would result in this as it is probably unlikely that something else had added the same attachment.

Unfortunately I don't have a good answer for how to deal with this. There really isn't a way to automatically retry a function from a workflow/playbook.

Ben

------------------------------
Ben Lurie
------------------------------

Original Message:
Sent: Mon September 27, 2021 09:54 AM
From: Stef Bisschop
Subject: Exchange Online Integration - Write Message as Attachment Function Error

Hello,

We are using the inbound email option to retrieve messages from a phishing mailbox into the SOAR. To have the original email added as an .eml to the case we use the "Exchange Online write message as attachment" function.

Issue:

The issue we are facing that in some cases, there is a function error and the original email is not added as an attachment. The error output is attached.

Does anyone know how to solve this issue? Or how we can further troubleshoot this?

Regards,
Stef

------------------------------
Stef Bisschop
------------------------------

Hi Stef,

If you launch manually the attachment workflow, after the failure, does it work? Or is it again the same error?

------------------------------
BENOIT ROSTAGNI
------------------------------

Original Message:
Sent: Mon September 27, 2021 09:54 AM
From: Stef Bisschop
Subject: Exchange Online Integration - Write Message as Attachment Function Error

Hello,

We are using the inbound email option to retrieve messages from a phishing mailbox into the SOAR. To have the original email added as an .eml to the case we use the "Exchange Online write message as attachment" function.

Issue:

The issue we are facing that in some cases, there is a function error and the original email is not added as an attachment. The error output is attached.

Does anyone know how to solve this issue? Or how we can further troubleshoot this?

Regards,
Stef

------------------------------
Stef Bisschop
------------------------------

Hi Benoit,

Yes that's what we also thought of in the meantime and it works!

So this is actually a fast and simple workaround.

------------------------------
Stef Bisschop
------------------------------

Original Message:
Sent: Tue September 28, 2021 11:38 AM
From: BENOIT ROSTAGNI
Subject: Exchange Online Integration - Write Message as Attachment Function Error

Hi Stef,

If you launch manually the attachment workflow, after the failure, does it work? Or is it again the same error?

------------------------------
BENOIT ROSTAGNI

Original Message:
Sent: Mon September 27, 2021 09:54 AM
From: Stef Bisschop
Subject: Exchange Online Integration - Write Message as Attachment Function Error

Hello,

We are using the inbound email option to retrieve messages from a phishing mailbox into the SOAR. To have the original email added as an .eml to the case we use the "Exchange Online write message as attachment" function.

Issue:

The issue we are facing that in some cases, there is a function error and the original email is not added as an attachment. The error output is attached.

Does anyone know how to solve this issue? Or how we can further troubleshoot this?

Regards,
Stef

------------------------------
Stef Bisschop
------------------------------

• Create a boolean field : Mail Collected
• Create a WF where you put the Email collect from Exchange action
• Create a WF Mail Collected like below:

Launch the WF to collect the email
Use the Timer function from fn_utility app to wait 120s
if the Mail Collected is not YES, go up and launch (again) the WF to collect the email in a loop
else, default flow, go to the end

• Create a rule to launch the WF Mail Collected each time you create a incident where you need to collect the email from exchange with potential error with no email attached
• Create a rule email attached that change Mail Collected field to YES when a attachement is added, that contains ".eml" or ".msg"

It should do the job automatically :)

------------------------------
BENOIT ROSTAGNI
------------------------------

Original Message:
Sent: Tue September 28, 2021 01:46 PM
From: Stef Bisschop
Subject: Exchange Online Integration - Write Message as Attachment Function Error

Hi Benoit,

Yes that's what we also thought of in the meantime and it works!

So this is actually a fast and simple workaround.

------------------------------
Stef Bisschop

Original Message:
Sent: Tue September 28, 2021 11:38 AM
From: BENOIT ROSTAGNI
Subject: Exchange Online Integration - Write Message as Attachment Function Error

Hi Stef,

If you launch manually the attachment workflow, after the failure, does it work? Or is it again the same error?

------------------------------
BENOIT ROSTAGNI

Original Message:
Sent: Mon September 27, 2021 09:54 AM
From: Stef Bisschop
Subject: Exchange Online Integration - Write Message as Attachment Function Error

Hello,

We are using the inbound email option to retrieve messages from a phishing mailbox into the SOAR. To have the original email added as an .eml to the case we use the "Exchange Online write message as attachment" function.

Issue:

The issue we are facing that in some cases, there is a function error and the original email is not added as an attachment. The error output is attached.

Does anyone know how to solve this issue? Or how we can further troubleshoot this?

Regards,
Stef

------------------------------
Stef Bisschop
------------------------------