IBM Security SOAR

 View Only
  • 1.  Script error when setting field value

    Posted 5 days ago

    Hello! I'm working on script that parse inbound email and sets custom field with values provided in email. There is task and it's options field that I created myself. It has API Access Name = "approval".

    Script shows an error in line where I set the value of that field via
    incident.properties.approval = "Одобрено"

    Also tried to comment out lines where I setting fields and at least check if parser works correctly by adding notes, but I'm getting another error)


    Here is full code if needed:

    # -*- coding: utf8 -*-
    import re
    import datetime
    import time
    
    class EmailProcessor(object):
        emailContents = []
    
        def __init__(self):
            if (emailmessage.body.content is not None):
                self.emailContents.append(emailmessage.body.content)
            if (emailmessage.getBodyHtmlRaw() is not None):
                self.emailContents.append(emailmessage.getBodyHtmlRaw())
            if (len(self.emailContents) == 0):
                log.error("Email message has no contents!")
                
        def addBasicInfoToIncident(self):
            approver = emailmessage.sender.address
            list_approvers = ['approver1@mail.com', 'approver2@mail.com', 'approver3@mail.com']
            method = re.findall(r"(\w+):", self.emailContents[0], re.UNICODE)[0]
            #str(approver) in list_approvers
            if str(approver) in list_approvers:
              if method == "Одобрено":
                #incident.properties.approval = "Одобрено"
                incident.addNote("""Было согласовано {}""".format(approver))
              elif method == "Отклонено":
                #incident.properties.approval = "Отклонено"
                incident.addNote("""Было Отклонено {}""".format(approver))
              else:
                #incident.properties.approval = "Ошибка"
                incident.addNote("""Возникла ошибка {}""".format(approver))
            else:
              #incident.properties.approval = "Попытка изменения другим лицом"
              incident.addNote("""{} пытался изменить данное поле, хоть и не указан в списке ответсвенных лиц""".format(approver))
    
    processor = EmailProcessor()
    
    inc_id = int(re.findall(r"\d+", processor.emailContents[0], re.UNICODE)[0])
    
    query_builder.equals(fields.incident.id, inc_id)
    query = query_builder.build()
    incidents = helper.findIncidents(query)
    
    
    if len(incidents) == 0:
        log.info(u"Incident Not Found")
    else:
        # A similar incident already exists. Associate the email with this preexisting incident.
        log.info(u"Associating with existing incident {0}".format(incidents[0].id))
        processor.addBasicInfoToIncident()
    


    ------------------------------
    Magzhan Leskhan
    ------------------------------


  • 2.  RE: Script error when setting field value

    Posted 3 days ago
    The data context of an Email parsing script does not have a top-level object called 'incident'. This code finds the incidents you are interested in:

    incidents = helper.findIncidents(query)
    
    
    if len(incidents) == 0:
        log.info(u"Incident Not Found")
    else:
        # A similar incident already exists. Associate the email with this preexisting incident.
        log.info(u"Associating with existing incident {0}".format(incidents[0].id))
        processor.addBasicInfoToIncident()​
    I think you need to pass the incident information as a parameter to the method addBasicInfoToIncident().

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------