IBM QRadar SOAR

 View Only
  • 1.  Unable to create incidents from emails

    Posted Thu July 18, 2024 09:08 AM

    I'm encountering an issue while attempting to generate an incident from email parsing using the sample script process inbound email (v49). When running the script, I encountered the following error:

    Error Running Script: The Script cannot update the Email Message 'email message-22984' because 'The Following fields are required: "Log Source".'




    ------------------------------
    shivam gote
    shivamshivamgote
    ------------------------------


  • 2.  RE: Unable to create incidents from emails

    Posted Fri July 19, 2024 01:02 AM

    It seems you have set the filed log sources as required when you created it , either modify the field to be optional or set a value for the filed in your script using :

    Incident.properties.log_source = "X"



    ------------------------------
    mohamad islam hamadieh
    ------------------------------



  • 3.  RE: Unable to create incidents from emails

    Posted Fri July 19, 2024 11:51 AM

    This field is not part of the script `process inbound email (v49)` and I suspect it's a custom required Incident field. If that's the case, either you can modify the script to include that field with a default value or look to change its property from required (Always) to Optional. The latter option may have other implications to your business, so it should only be considered if all use cases are understood.

    I hope this helps,

    Mark



    ------------------------------
    Mark Scherfling
    ------------------------------