IBM Security QRadar SOAR

Hello Team,

We are looking forward to automate an incident with event details to be sent to Respective user via email from the artifact.  Is there any way or work around for this request. 

Example:  When an incident received to IBM SOAR from QRadar and the SOAR need to act to send an Incident email to the respective user irrespective of manual outbound email. 

Thanks!

SOC Team

Sorry for the delay.

Your query has been forwarded to the development team.

Still awaiting response

Regards

John

Hello Team,

We are looking forward to automate an incident with event details to be sent to Respective user via email from the artifact.  Is there any way or work around for this request. 

Example:  When an incident received to IBM SOAR from QRadar and the SOAR need to act to send an Incident email to the respective user irrespective of manual outbound email. 

Thanks!

SOC Team

Hello Team,

We are looking forward to automate an incident with event details to be sent to Respective user via email from the artifact.  Is there any way or work around for this request. 

Example:  When an incident received to IBM SOAR from QRadar and the SOAR need to act to send an Incident email to the respective user irrespective of manual outbound email. 

Thanks!

SOC Team

Can you explain a little more what you are trying to do?

When a QRadar incident is create in SOAR an email should be send to a user automatically using outbound email?

What does "irrespective of manual outbound email" mean?

Hello Team,

We are looking forward to automate an incident with event details to be sent to Respective user via email from the artifact.  Is there any way or work around for this request. 

Example:  When an incident received to IBM SOAR from QRadar and the SOAR need to act to send an Incident email to the respective user irrespective of manual outbound email. 

Thanks!

SOC Team

hello, In  particular situation, an incident was initiated when an internal user made several unsuccessful login attempts. Consequently, we will obtain the user's name or email address for this specific scenario. Presently, we are trying to automatically send the offense details to the internal user using either their user id or email artifact.  So, how can we achieve this ?

Can you explain a little more what you are trying to do?

When a QRadar incident is create in SOAR an email should be send to a user automatically using outbound email?

What does "irrespective of manual outbound email" mean?

Hello Team,

We are looking forward to automate an incident with event details to be sent to Respective user via email from the artifact.  Is there any way or work around for this request. 

Example:  When an incident received to IBM SOAR from QRadar and the SOAR need to act to send an Incident email to the respective user irrespective of manual outbound email. 

Thanks!

SOC Team

Hi SOC Team,

I can think of one way to achieve your need.

• When the unsuccessful login attempts is detected and an incident is created, you can create a User Account type (or create your own type) artifact to store the user information (e.g., email) and add some notes to artifact's description. e.g. "Unsuccessful login attempts detected user"
• Install and configure Outbound Email app https://exchange.xforce.ibmcloud.com/hub/extension/caafba4e4f6d130e7db30ed4d5e53504
• Create an automatic playbook
  • Select artifact as the Object type
  • Create activation condition that define the criteria to trigger the playbook when artifact is added
  • Add "Outbound Email: Send Email" function node to the playbook and configure its inputs, e.g., set the "mail to" field to "artifact.value" or use script to setup those input fields., e.g.,
  • 
  • You can check the playbooks included in the Outbound Email app, e.g., "Send Incident Email Text (PB) Example"  as an example.

When the User Account artifact is created and meets the activation condition, the playbook will be triggered and the email will be sent to the user.

Hope this help.

hello, In  particular situation, an incident was initiated when an internal user made several unsuccessful login attempts. Consequently, we will obtain the user's name or email address for this specific scenario. Presently, we are trying to automatically send the offense details to the internal user using either their user id or email artifact.  So, how can we achieve this ?

Can you explain a little more what you are trying to do?

When a QRadar incident is create in SOAR an email should be send to a user automatically using outbound email?

What does "irrespective of manual outbound email" mean?

Hello Team,

We are looking forward to automate an incident with event details to be sent to Respective user via email from the artifact.  Is there any way or work around for this request. 

Example:  When an incident received to IBM SOAR from QRadar and the SOAR need to act to send an Incident email to the respective user irrespective of manual outbound email. 

Thanks!

SOC Team

Hi SOC Team,

I can think of one way to achieve your need.

• When the unsuccessful login attempts is detected and an incident is created, you can create a User Account type (or create your own type) artifact to store the user information (e.g., email) and add some notes to artifact's description. e.g. "Unsuccessful login attempts detected user"
• Install and configure Outbound Email app https://exchange.xforce.ibmcloud.com/hub/extension/caafba4e4f6d130e7db30ed4d5e53504
• Create an automatic playbook
  • Select artifact as the Object type
  • Create activation condition that define the criteria to trigger the playbook when artifact is added
  • Add "Outbound Email: Send Email" function node to the playbook and configure its inputs, e.g., set the "mail to" field to "artifact.value" or use script to setup those input fields., e.g.,
  • 
  • You can check the playbooks included in the Outbound Email app, e.g., "Send Incident Email Text (PB) Example"  as an example.

When the User Account artifact is created and meets the activation condition, the playbook will be triggered and the email will be sent to the user.

Hope this help.

hello, In  particular situation, an incident was initiated when an internal user made several unsuccessful login attempts. Consequently, we will obtain the user's name or email address for this specific scenario. Presently, we are trying to automatically send the offense details to the internal user using either their user id or email artifact.  So, how can we achieve this ?

Can you explain a little more what you are trying to do?

When a QRadar incident is create in SOAR an email should be send to a user automatically using outbound email?

What does "irrespective of manual outbound email" mean?

Hello Team,

We are looking forward to automate an incident with event details to be sent to Respective user via email from the artifact.  Is there any way or work around for this request. 

Example:  When an incident received to IBM SOAR from QRadar and the SOAR need to act to send an Incident email to the respective user irrespective of manual outbound email. 

Thanks!

SOC Team

Hi,

From your 1st screenshot, it seems that your Network Administrator stores the user email to artifact's value but in your 2nd screenshot the automatic activation condition is set to "if artifact.description contains @iopex.com", you should change it to "if artifact.value contains @iopex.com".

After that, you will need to setup the "Outbound Email: Send Email" fucntion inputs, such as who the mail should send to, who the mail from, what's the mail subject and mail body etc.. There are two ways to setup the values, 1) assign values in each field, the "Fields" tab, or 2) write a script, the "Script" tab

Here is example that uses a script (python language) to setup the input values.

inputs.mail_incident_id = incident.idinputs.mail_from = "admin@iopex.com"inputs.mail_to = artifact.valueinputs.mail_subject = "Continuous login fail deteced"inputs.mail_body_html = "Warning! you have failed login to the system more than 5 times.<br/>" \"Please check your password or reset your password if it's not you. Otherwise your account will be locked."

A screenshot of this example,

You can change it per your requirements.

IBM QRadar SOAR's playbook is highly customizable, there are playbook intrductions and demos available on the internet, you can check them out. For examples, https://youtu.be/r6wTZn8ruRE?t=2165 or https://youtu.be/aN-dHMhhSbU?t=212

Or SOAR official online docs. https://www.ibm.com/docs/en/sqsp/51?topic=toolkit-playbook-designer

Hi SOC Team,

I can think of one way to achieve your need.

• When the unsuccessful login attempts is detected and an incident is created, you can create a User Account type (or create your own type) artifact to store the user information (e.g., email) and add some notes to artifact's description. e.g. "Unsuccessful login attempts detected user"
• Install and configure Outbound Email app https://exchange.xforce.ibmcloud.com/hub/extension/caafba4e4f6d130e7db30ed4d5e53504
• Create an automatic playbook
  • Select artifact as the Object type
  • Create activation condition that define the criteria to trigger the playbook when artifact is added
  • Add "Outbound Email: Send Email" function node to the playbook and configure its inputs, e.g., set the "mail to" field to "artifact.value" or use script to setup those input fields., e.g.,
  • 
  • You can check the playbooks included in the Outbound Email app, e.g., "Send Incident Email Text (PB) Example"  as an example.

When the User Account artifact is created and meets the activation condition, the playbook will be triggered and the email will be sent to the user.

Hope this help.

hello, In  particular situation, an incident was initiated when an internal user made several unsuccessful login attempts. Consequently, we will obtain the user's name or email address for this specific scenario. Presently, we are trying to automatically send the offense details to the internal user using either their user id or email artifact.  So, how can we achieve this ?

Can you explain a little more what you are trying to do?

When a QRadar incident is create in SOAR an email should be send to a user automatically using outbound email?

What does "irrespective of manual outbound email" mean?

Hello Team,

We are looking forward to automate an incident with event details to be sent to Respective user via email from the artifact.  Is there any way or work around for this request. 

Example:  When an incident received to IBM SOAR from QRadar and the SOAR need to act to send an Incident email to the respective user irrespective of manual outbound email. 

Thanks!

SOC Team