IBM Security QRadar SOAR

 View Only
  • 1.  Inbound email: validate sender

    Posted Wed June 17, 2020 11:29 AM
    Hi everyone

    I created an inbound connection in resilient and I managed to process the incoming emails with a playbook script. Now, I actually want to validate the sender so that only members of an incident can update that incident. 

    Are there ways to do this securely? I was thinking of checking the member list with matches with the sender.


    Thanks.

    ------------------------------
    Sophy Chhong
    ------------------------------


  • 2.  RE: Inbound email: validate sender

    Posted Thu June 18, 2020 07:43 AM
    I don't fully understand the use case. Currently in Resilient an incident member or incident owner can update the incident. I'm not sure what you would like to accomplish with the email sender. Can you elaborate on the use case?

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------



  • 3.  RE: Inbound email: validate sender

    Posted Fri June 19, 2020 05:41 AM
    The incident members struggle with adding table rows in resilient since they sometimes add up to 50 rows at once. We created the inbound mailbox so that they can update the table easily with an email. Since it is an inbox, we may receive other kinds of emails and therefore want to prevent them from getting processed. This would also include members of an incident B who want to update an incident A, which they have no access to. To get this validation we would like to check the sender of an email whether he/she is an actual member of an incident before allowing updates to it.

    I hope this clarifies our use case.

    ------------------------------
    Sophy Chhong
    ------------------------------



  • 4.  RE: Inbound email: validate sender

    Posted Fri June 19, 2020 09:06 AM
    I'm assuming you already have an inbound email processing script. If so, then you can put logic into the script to check that the email sender is a member by checking against the incident member list in the script.

    Here is an example that shows the members list contains the email addresses of the members so hopefully you can use that for the logic:

    log.info(incident.members)

    I didn't post a screenshot due to PII. But try it on your system.

    Ben



    ------------------------------
    Ben Lurie
    ------------------------------



  • 5.  RE: Inbound email: validate sender

    Posted Fri June 19, 2020 09:30 AM
    Great, that works! I get the list of user emails and groups.

    How would I check which users are in a group?
    I use this logic to get the group itself, but I can only see the metadata.

    group = groups.findByName('group_name')
    log.info(group)



    ------------------------------
    Sophy Chhong
    ------------------------------