IBM Security Join our 16,000+ members as we work together to overcome the toughest challenges of cybersecurity. Join the Community
i am trying to create a phishing playbook for that i configured inbound email connection, add script to extract artifact and rule to automatically create incident whenever i have email on inbox,
Now i want to know how can i call that specific incident in playbook which was created from mailbox to inform the relevant team about this incident along with attached artifacts.
I don't know if this could help you but here is how I would do it.
In your script, you should have the emailmessage.createAssociatedIncident(...,...) operation. After this operation, the top-level incident variable is set so you can assign it an incident type like this:
incident.incident_type_ids = "Phishing"
Now, you could create a new automatic playbook with the following conditions: "incident is created" and "incident.incident_type_ids = "Phishing".
When the script finishes treating the received email, the new created incident will start your phishing playbook.
You can also add a Notification with a similar condition: Incident type is equal to "Phishing" and have it sent to the owner you specified in the second parameter of the createAssociatedIncident operation, which is probably the name of a group.