IBM Security QRadar SOAR

 View Only
  • 1.  Discard incident with new email parser

    Posted Sun June 21, 2020 10:04 PM
    Hi Everybody,

    On Resilient v37 I would like to move some use case we already have in old (irhub based) mail parser into the new python script based email parser.
    We have a case when the incoming mail subject contains a specific string we would like NOT to create incident, like any other cases. In irhub we use discardincident call. What can i use in Python?

    Thanks in advance,


    ------------------------------
    Symon
    ------------------------------


  • 2.  RE: Discard incident with new email parser

    Posted Mon June 22, 2020 07:24 AM
    Hi Symon,

    Thanks for your query.
    You could probably try something like this:

    if '<your specific string>' in emailmessage.subject:
       # ignore it
    else:
       # otherwise, create an associated incident
       emailmessage.createAssociatedIncident('<incident_name>', '<incident_owner>')

       # make any additional updates to the associated incident ...
       incident.description = 'incident description'

    ------------------------------
    Paul Curran
    ------------------------------



  • 3.  RE: Discard incident with new email parser

    Posted Tue June 23, 2020 05:35 AM
    HI Paul,
    Thanks for your fast answer. My problem with this solution in this case the email stay in inbox and i can delete only manually, but not automatically.

    ------------------------------
    Tamas Simon
    Simon
    ------------------------------



  • 4.  RE: Discard incident with new email parser

    Posted Thu June 25, 2020 05:41 AM

    Hi Symon,
            I have a possible work around and a suggestion. The work around is as follows. Create an incident to track these specific emails and immediately close it. Then when an email with the subject you don't want  to create an incident from you can query for the closed incident and assign the email to the closed incident. Effectively it becomes a bucket for all these emails. This will achieve the goal of removing the emails from the Inbox.

    It is as I say a work around so it may not work for your specific use case. The missing functionality of automating deletion of emails you don't wish to create an email from does seem useful. I suggest you should create an RFE for it. You can do that here: https://2e4ccba981d63ef83a875dad7396c9a0.ideas.aha.io/ideas



    ------------------------------
    PATRICK DIVILLY
    ------------------------------