IBM QRadar SOAR

Hi!

I'm trying to write a script based on emails which are already added to an incident. Those emails which are shown in the Email tab in the incident.

When create a script with object type "emailmessage" it only tries to find email messages which are still in the inbox... 
Same for the rule... I created a manual rule for object type "Emailmessage" and I can use this rule only in the inbox but not in the email tab in the incident.

Under which path can I find those?
Is this something like incident.properties....?

And please don't tell me this is again something which is not possible within the platform itself and I have to use a script running on the integration server...


Best,
Achim

------------------------------
Achim Quehenberger
------------------------------

There are two things going on. The first is that an automatic Rule only would run on an object that is new/deleted/updated. Email objects already on an incident cannot be updated so a Rule would never run on them.

The second thing is that you are looking for is the ability to get sub-objects of an incident from a script. In this case, get all the emails associated with the incident. As you intimated, in-product scripting does not have the capability to get incident sub objects. Not just emails, but tasks, artifacts, etc.

Ben

------------------------------
Ben Lurie
------------------------------

Original Message:
Sent: Mon July 13, 2020 05:22 AM
From: Achim Quehenberger
Subject: emailmessages in the incident tab "Email"

Hi!

I'm trying to write a script based on emails which are already added to an incident. Those emails which are shown in the Email tab in the incident.

When create a script with object type "emailmessage" it only tries to find email messages which are still in the inbox... 
Same for the rule... I created a manual rule for object type "Emailmessage" and I can use this rule only in the inbox but not in the email tab in the incident.

Under which path can I find those?
Is this something like incident.properties....?

And please don't tell me this is again something which is not possible within the platform itself and I have to use a script running on the integration server...


Best,
Achim

------------------------------
Achim Quehenberger
------------------------------

Hi Lurie,

Thank you for your reply. But the first answer is not quite right. I mentioned that I created a manuel rule (or Menu Item as it is called in the drop down field for "New Rule"), not an automatic one. And with manual rules you can trigger scripts which handle already existing things.

Ok thanks, I already expected the second answer.

Best,
Achim

------------------------------
Achim Quehenberger
------------------------------

Original Message:
Sent: Tue July 14, 2020 07:53 AM
From: Ben Lurie
Subject: emailmessages in the incident tab "Email"

There are two things going on. The first is that an automatic Rule only would run on an object that is new/deleted/updated. Email objects already on an incident cannot be updated so a Rule would never run on them.

The second thing is that you are looking for is the ability to get sub-objects of an incident from a script. In this case, get all the emails associated with the incident. As you intimated, in-product scripting does not have the capability to get incident sub objects. Not just emails, but tasks, artifacts, etc.

Ben

------------------------------
Ben Lurie

Original Message:
Sent: Mon July 13, 2020 05:22 AM
From: Achim Quehenberger
Subject: emailmessages in the incident tab "Email"

Hi!

I'm trying to write a script based on emails which are already added to an incident. Those emails which are shown in the Email tab in the incident.

When create a script with object type "emailmessage" it only tries to find email messages which are still in the inbox... 
Same for the rule... I created a manual rule for object type "Emailmessage" and I can use this rule only in the inbox but not in the email tab in the incident.

Under which path can I find those?
Is this something like incident.properties....?

And please don't tell me this is again something which is not possible within the platform itself and I have to use a script running on the integration server...


Best,
Achim

------------------------------
Achim Quehenberger
------------------------------