IBM Security QRadar SOAR

 View Only
  • 1.  Outbound Email Integration Question

    Posted Tue November 15, 2022 09:16 AM
    Hello All,

    Have done the Outbound Email integration(v2.0.1) for a client who were already having the inbound Email incident creation. The procedure for inbound Email is when a Email lands in particular mailbox it creates the incident with the Generic email script (App Exchange v2.3.1) and also the subsequent replies are also added in the Data Table E-mail Conversations. This scenario works totally fine.

    Issue occurs when the Analysts uses Outbound Email app to send an email to a different teams for getting the updates/approvals etc. The Data Table will be updated as per the document, but when the other team replies back to the mail (sent from Analysts), it will create one more (New) incident instead of checking the script for the Incident (from where the outbound email triggered) and adding it directly to the conversation Data Table.

    The script should basically check for the Incident ID and Incident name or Task name and append it to the Data Table(correct me if I am wrong), or is there any specific changes needs to be done on the script to get this happen. Seems like it has to be in the code below.

    I am not a python expert, Hence the question. Suggestions would help a lot. Thanks for your replies as always.

    # We need to check that the email has a subject otherwise the script will fail
    subject = emailmessage.subject if hasattr(emailmessage, 'subject') else None

    # Create a suitable title for an incident based on the email
    newIncidentTitle = "Inbound E-Mail \"{0}\" via mailbox {1}".format(
    REPLY_PATTERN.sub("", subject), emailmessage.inbound_mailbox)

    # Check to see if a similar incident already exists
    # We will search for an incident which has the same name as we would give a new incident
    query_builder.equals(fields.incident.name, newIncidentTitle)
    query_builder.equals(fields.incident.plan_status, "Active")
    query = query_builder.build()
    incidents = helper.findIncidents(query)


    ------------------------------
    Srinivas Joshi
    Security Architect
    ------------------------------


  • 2.  RE: Outbound Email Integration Question

    Posted Wed November 16, 2022 08:48 AM

    Hi Srinivas,

    As you stated, the logic in the generic email parsing script is to track incoming email messages against existing incidents by looking for incidents with the same title as the email subject. Take a look at the script used in the Email Approval Process content pack for inbound messages. It parses the email for incident Id in order to craft a similar query_builder query to instead look up the incident by id.

    Each email has a section like the following in the email body for tracking incident information:

    ##- retain this data -##
    msg-id: 98cc1ca81d6b-d31547c58714-d575453904dc-092677cc4c10-620980ac83ffd7a2
    incident 2204: email approval (link)
    task 2238: test outlook (link)
    expiration 1666790100000: 2022-10-26 14:15:00 IST





    ------------------------------
    Mark Scherfling
    ------------------------------



  • 3.  RE: Outbound Email Integration Question

    Posted Mon November 28, 2022 02:02 AM
    Hello Mark,

    I tweaked the code for Inbound Email parsing script and now able to get the reply back on the same Data Table, Thanks for your support as always.

    In case if any one would like to have it the same way, below is the code that I have changed.

    uuids = re.search(r'\[.*?\]', emailmessage.subject)
    search_val = ""
    incidents = ""
    if uuids:
    log.info(uuids.group())
    search_val_1 = uuids.group()
    search_val_2 = search_val_1.replace("[","")
    search_val = search_val_2.replace("]","")
    log.info(search_val)
    else:
    search_val = newIncidentTitle

    if uuids:
    query_builder.contains(fields.incident.id, int(search_val))
    query_builder.equals(fields.incident.plan_status, "Active")
    query = query_builder.build()
    incidents = helper.findIncidents(query)
    else:
    query_builder.equals(fields.incident.name, newIncidentTitle)
    query_builder.equals(fields.incident.plan_status, "Active")
    query = query_builder.build()
    incidents = helper.findIncidents(query)

    Also when the "From" column will be updated with Lastname, Firstname <firstname.lastname@example.com> by this way when you try to reply back using the workflow from the Data Table it will give an error as the pre process script only ask for the firstname.lastname@example.com.

    For this also have made a small change in the same script which is as below.
    @staticmethod
    def add_email_conversation(headers, msg_body, msg_attachments):
    # attempt to add to incident datatable, if present

    def handle_list(value):
    # convert a list to comma separate list, if neccessary
    if value and isinstance(value, list):
    return ", ".join(value)

    return value

    def convert_from(mail_):
    sub1 = "<"
    sub2 = ">"

    # getting index of substrings
    if "<" in mail_[0]:
    idx1 = mail_[0].index(sub1)
    idx2 = mail_[0].index(sub2)

    res = mail_[0][idx1 + len(sub1) + 0: idx2]
    return res
    return mail_[0]


    I am stuck at one point, The mail_body when we are using the workflow/ Function outbound Email : Email send is only having Text field, how can we change it to Rich Text format. If we create a new field it is not working. The reply workflow does have this filed as Rich text. Any suggestions would help.

    Thanks again.

    ------------------------------
    Srinivas Joshi
    SrinivasJoshi
    ------------------------------