IBM Security QRadar SOAR

 View Only
  • 1.  Phishing Playbook

    Posted Mon October 16, 2023 01:48 PM

    hello community,

    i am trying to create a phishing playbook for that i configured inbound email connection, add script to extract artifact and rule to automatically create incident whenever i have email on inbox,

    Now i want to know how can i call that specific incident in playbook which was created from mailbox to inform the relevant team about this incident along with attached artifacts.





    ------------------------------
    Umair Khan
    ------------------------------


  • 2.  RE: Phishing Playbook

    Posted Tue October 17, 2023 10:33 AM

    Hi Umair,

    I don't know if this could help you but here is how I would do it.

    In your script, you should have the emailmessage.createAssociatedIncident(...,...) operation.  After this operation,  the top-level incident variable is set so you can assign it an incident type like this:

    incident.incident_type_ids = "Phishing"

    Now, you could create a new automatic playbook with the following conditions:  "incident is created" and "incident.incident_type_ids = "Phishing".

    When the script finishes treating the received email, the new created incident will start your phishing playbook.

    You can also add a Notification with a similar condition:  Incident type is equal to "Phishing" and have it sent to the owner you specified in the second parameter of the createAssociatedIncident operation, which is probably the name of a group.

    HTH



    ------------------------------
    Pierre Dufresne
    ------------------------------