IBM QRadar SOAR

 View Only

  • 1.  Exchange Online Query Messages Playbook automatic activation on Artifact

    Posted Thu February 06, 2025 07:03 AM
    Hello,

    i would like to search automatically emails using "Exchange Online Query Messages - Example (PB)" Playbook on Artifact creation and put results in Data table (will probably reuse original Post-script), by default playbook requires to fill web form manually(screen below).
     
    How should i put Input fields below in script ?

    exo_email_address: ??????? (This is what i seen in logs: "exo_query_output_format: ALL")
    exo_mailfolders: ??????? (This is what i seen in logs: "exo_mailfolders: None")
    exo_query_output_format: ?????? (This is what i see in logs: "exo_query_output_format: ['Exchange Online data table', 'Incident note']")
     
    My modified playbook script:
    =======================================================================================
    import datetime
    inputs.incident_id = incident.id
     
    # Get the email address of the user whose mailbox will be queried.
    inputs.exo_email_address_sender = artifact.value
     
    # Configure Date time to search
    tend = datetime.datetime.now().isoformat() + "Z"
    tstart = datetime.datetime.today().isoformat() + "Z"
    inputs.exo_start_date = tstart
    inputs.exo_end_date = tend
     
    if hasattr(playbook.inputs, "exchange_online_query_results_output_format"):
        inputs.exo_query_output_format = [d for d in playbook.inputs.exchange_online_query_results_output_format]
    =======================================================================================

    Thanks


    ------------------------------
    Paulius Roslekas
    ------------------------------


  • 2.  RE: Exchange Online Query Messages Playbook automatic activation on Artifact

    Posted Fri February 07, 2025 12:43 AM

    Hi Paulius, 

    I couldn't decide if your question means what data I should input in those fields, or how to fill the data using playbook script instead of filling the web for manually, so I will answer both :) 

    • What data should I input in those fields ?
      • You can check the app documentation , the used function (Function - Exchange Online: Query Messages) part mention the inputs here .

    • how to fill the data using playbook script instead of filling the web form manually ?
      • Clone the playbook to save the original one.
      • Remove the web form from the playbook (click on (Incident / Artifact Activated) and remove the web form from right side).
      • Edit the function input script (in the playbook click on the function "Function - Exchange Online: Query Messages" from right side, click on scripts and edit the script).
      • add the data you want in this format  (documintaion for that here ): 
        # format 
inputs.<inputFiledname> = "something"

#example
inputs.exo_email_address = "user@example.com"


    ------------------------------
    mohamad islam hamadieh
    ------------------------------

    Original Message


  • 3.  RE: Exchange Online Query Messages Playbook automatic activation on Artifact

    Posted 3 days ago
    Edited by Paulius Roslekas 3 days ago

    hello,

    I apologize for the delayed response :/. Thank You for information.


    In example below trying to put "email_recipient" artifact value in Function input script, "email_recipient" API seems correct, but no luck :/
    "inputs.exo_email_address_sender" and "inputs.exo_email_address " artifact values are not the same.

    EXAMPLE:
    inputs.exo_email_address_sender = artifact.value

    inputs.exo_email_address = artifact.value['email_recipient']


    How to write it in correct syntax ?

    Thanks



    ------------------------------
    Paulius Roslekas
    ------------------------------

    Original Message


  • 4.  RE: Exchange Online Query Messages Playbook automatic activation on Artifact

    Posted 3 days ago

    Hi Paulius ,

    The syntax is correct here : 

    inputs.exo_email_address_sender = artifact.value

    you just have to make sure that the playbook you create is of type (Artifact activated)



    ------------------------------
    Mohamad islam Hamadieh
    I post SOAR content and tips on linkedIn , follow me :)
    https://linkedin.com/in/mohamadislam
    ------------------------------

    Original Message


  • 5.  RE: Exchange Online Query Messages Playbook automatic activation on Artifact

    Posted 3 days ago

    Hi,

    Yes, but i would like to read with Function input script two different Artifacts (Email Sender and Email Recipient), for instance, if i would use below example, script would take same artifact value for both "email_address"(Email Recipient) and "email_address_sender" (Email Sender).  

    inputs.exo_email_address_sender = artifact.value

    inputs.exo_email_address = artifact.value

    Thanks



    ------------------------------
    Paulius Roslekas
    ------------------------------

    Original Message