IBM QRadar SOAR

 View Only
Expand all | Collapse all

Exchange Online Query Messages Playbook automatic activation on Artifact

  • 1.  Exchange Online Query Messages Playbook automatic activation on Artifact

    Posted 20 days ago
    Hello,

    i would like to search automatically emails using "Exchange Online Query Messages - Example (PB)" Playbook on Artifact creation and put results in Data table (will probably reuse original Post-script), by default playbook requires to fill web form manually(screen below).
     
    How should i put Input fields below in script ?

    exo_email_address: ??????? (This is what i seen in logs: "exo_query_output_format: ALL")
    exo_mailfolders: ??????? (This is what i seen in logs: "exo_mailfolders: None")
    exo_query_output_format: ?????? (This is what i see in logs: "exo_query_output_format: ['Exchange Online data table', 'Incident note']")
     
    My modified playbook script:
    =======================================================================================
    import datetime
    inputs.incident_id = incident.id
     
    # Get the email address of the user whose mailbox will be queried.
    inputs.exo_email_address_sender = artifact.value
     
    # Configure Date time to search
    tend = datetime.datetime.now().isoformat() + "Z"
    tstart = datetime.datetime.today().isoformat() + "Z"
    inputs.exo_start_date = tstart
    inputs.exo_end_date = tend
     
    if hasattr(playbook.inputs, "exchange_online_query_results_output_format"):
        inputs.exo_query_output_format = [d for d in playbook.inputs.exchange_online_query_results_output_format]
    =======================================================================================

    Thanks


    ------------------------------
    Paulius Roslekas
    ------------------------------


  • 2.  RE: Exchange Online Query Messages Playbook automatic activation on Artifact

    Posted 19 days ago

    Hi Paulius, 

    I couldn't decide if your question means what data I should input in those fields, or how to fill the data using playbook script instead of filling the web for manually, so I will answer both :) 

    • What data should I input in those fields ?
      • You can check the app documentation , the used function (Function - Exchange Online: Query Messages) part mention the inputs here .

    • how to fill the data using playbook script instead of filling the web form manually ?
      • Clone the playbook to save the original one.
      • Remove the web form from the playbook (click on (Incident / Artifact Activated) and remove the web form from right side).
      • Edit the function input script (in the playbook click on the function "Function - Exchange Online: Query Messages" from right side, click on scripts and edit the script).
      • add the data you want in this format  (documintaion for that here ): 
        # format 
inputs.<inputFiledname> = "something"

#example
inputs.exo_email_address = "user@example.com"


    ------------------------------
    mohamad islam hamadieh
    ------------------------------

    Original Message