IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Exchange Online Query Messages Playbook automatic activation on Artifact

    Posted Thu February 06, 2025 07:03 AM
    Hello,

    i would like to search automatically emails using "Exchange Online Query Messages - Example (PB)" Playbook on Artifact creation and put results in Data table (will probably reuse original Post-script), by default playbook requires to fill web form manually(screen below).
     
    How should i put Input fields below in script ?

    exo_email_address: ??????? (This is what i seen in logs: "exo_query_output_format: ALL")
    exo_mailfolders: ??????? (This is what i seen in logs: "exo_mailfolders: None")
    exo_query_output_format: ?????? (This is what i see in logs: "exo_query_output_format: ['Exchange Online data table', 'Incident note']")
     
    My modified playbook script:
    =======================================================================================
    import datetime
    inputs.incident_id = incident.id
     
    # Get the email address of the user whose mailbox will be queried.
    inputs.exo_email_address_sender = artifact.value
     
    # Configure Date time to search
    tend = datetime.datetime.now().isoformat() + "Z"
    tstart = datetime.datetime.today().isoformat() + "Z"
    inputs.exo_start_date = tstart
    inputs.exo_end_date = tend
     
    if hasattr(playbook.inputs, "exchange_online_query_results_output_format"):
        inputs.exo_query_output_format = [d for d in playbook.inputs.exchange_online_query_results_output_format]
    =======================================================================================

    Thanks


    ------------------------------
    Paulius Roslekas
    ------------------------------


  • 2.  RE: Exchange Online Query Messages Playbook automatic activation on Artifact

    Posted Fri February 07, 2025 12:43 AM

    Hi Paulius, 

    I couldn't decide if your question means what data I should input in those fields, or how to fill the data using playbook script instead of filling the web for manually, so I will answer both :) 

    • What data should I input in those fields ?
      • You can check the app documentation , the used function (Function - Exchange Online: Query Messages) part mention the inputs here .

    • how to fill the data using playbook script instead of filling the web form manually ?
      • Clone the playbook to save the original one.
      • Remove the web form from the playbook (click on (Incident / Artifact Activated) and remove the web form from right side).
      • Edit the function input script (in the playbook click on the function "Function - Exchange Online: Query Messages" from right side, click on scripts and edit the script).
      • add the data you want in this format  (documintaion for that here ): 
        # format 
inputs.<inputFiledname> = "something"

#example
inputs.exo_email_address = "user@example.com"


    ------------------------------
    mohamad islam hamadieh
    ------------------------------

    Original Message


  • 3.  RE: Exchange Online Query Messages Playbook automatic activation on Artifact

    Posted Thu March 20, 2025 10:22 AM
    Edited by Paulius Roslekas Thu March 20, 2025 10:22 AM

    hello,

    I apologize for the delayed response :/. Thank You for information.


    In example below trying to put "email_recipient" artifact value in Function input script, "email_recipient" API seems correct, but no luck :/
    "inputs.exo_email_address_sender" and "inputs.exo_email_address " artifact values are not the same.

    EXAMPLE:
    inputs.exo_email_address_sender = artifact.value

    inputs.exo_email_address = artifact.value['email_recipient']


    How to write it in correct syntax ?

    Thanks



    ------------------------------
    Paulius Roslekas
    ------------------------------

    Original Message


  • 4.  RE: Exchange Online Query Messages Playbook automatic activation on Artifact

    Posted Fri March 21, 2025 02:16 AM

    Hi Paulius ,

    The syntax is correct here : 

    inputs.exo_email_address_sender = artifact.value

    you just have to make sure that the playbook you create is of type (Artifact activated)



    ------------------------------
    Mohamad islam Hamadieh
    I post SOAR content and tips on linkedIn , follow me :)
    https://linkedin.com/in/mohamadislam
    ------------------------------

    Original Message


  • 5.  RE: Exchange Online Query Messages Playbook automatic activation on Artifact

    Posted Fri March 21, 2025 03:21 AM

    Hi,

    Yes, but i would like to read with Function input script two different Artifacts (Email Sender and Email Recipient), for instance, if i would use below example, script would take same artifact value for both "email_address"(Email Recipient) and "email_address_sender" (Email Sender).  

    inputs.exo_email_address_sender = artifact.value

    inputs.exo_email_address = artifact.value

    Thanks



    ------------------------------
    Paulius Roslekas
    ------------------------------

    Original Message


  • 6.  RE: Exchange Online Query Messages Playbook automatic activation on Artifact

    Posted Tue March 25, 2025 04:16 AM

    ok got it , if your playbook is artifact activated. you can access only the value of that artifact using artifact.value.

    if your playbook is a incident activated , there is multiple ways to get all artifacts you can check these post: 

    How to get details in the incident all artifacts. | IBM QRadar SOAR

    IBM Security App Exchange - Artifact Utilities

    another option is to have a filed that you always appended artifact values to , whenever an artifact is created using a rule or playbook , but this will cause a lot of playbook to run on each incident creation.



    ------------------------------
    Mohamad islam Hamadieh
    I post SOAR content and tips on linkedIn , follow me :)
    https://linkedin.com/in/mohamadislam
    ------------------------------

    Original Message


Related Content