IBM Security QRadar SOAR

 View Only
  • 1.  Process inbound email

    Posted Thu July 21, 2022 08:47 AM
    Hello,

    I use default script "Process Inbound email" to associate inbound email with incidents or create new incidents.
    I started to catch if someone send email to closed incident - a new incident creates. Maybe more correct is reopen existed incident?



    ------------------------------
    Alexey Fedorov
    ------------------------------


  • 2.  RE: Process inbound email

    Posted Tue August 23, 2022 08:51 AM
    Hi Alexey , 

    are you using the default script.
    this might be possible by changing the incident status when the script branches to 

    emailmessage.associateWithIncident()

    ------------------------------
    mohamad islam hamadieh
    ------------------------------



  • 3.  RE: Process inbound email

    Posted Tue August 23, 2022 08:51 AM
    Hi Alexey , 

    you can edit the default script to change the incident status when branching to : 

    emailmessage.associateWithIncident()

    you have also to remove :
    query_builder.equals(fields.incident.plan_status, "Active")
    from your query builder

    ------------------------------
    mohamad islam hamadieh
    ------------------------------