IBM QRadar SOAR

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Resilient V35 Process Inbound Email Script

    Posted Mon July 20, 2020 10:44 AM
    Hi All, 

    We are using IBM Resilient V35 process inbound email script,  Anyone could you please help us how to modify the script to create incident tickets based on certain keywords like, If Email connects Phishing then we need to create Phishing Incident ticket, similarly for malware, other then specific keywords need to create general incident tickets. 

    We Noticed below logic only to map any emails to Phishing incident, could you please let us know how to achieve our requirement. 

    #‌ Add "Phishing" as an incident type for the associated incident

    incident.incident_type_ids.append("Phishing")

    Regards,
    Sunil I B



    ------------------------------
    Sunil I B
    ------------------------------


  • 2.  RE: Resilient V35 Process Inbound Email Script

    Posted Tue July 21, 2020 04:03 PM

    Hi Sunil,
    There are a couple of ways to do this.
    1. Create an add-on scripts for each of your scenarios and use a Rule with the condition: Subject Contains or body contains to determine which Incident type to assign the incident to. Then run the add on script, after the parsing script, which adds the incident type and any additional fields.

    Take a look at this technote for additional examples.
    Example scripts for email in v32+
    https://www.ibm.com/support/pages/node/1160122

    2. Use an if statement to evaluate the subject, for example:

    if 'Incident' in emailmessage.subject:
        log.info("Subject is incident")
        emailmessage.createAssociatedIncident('Email incident', 'owner@.ibm.com')
       incident.description = 'incident description'
       incident.incident_type_ids.append("Phishing")
    elif 'Malware' in emailmessage.subject:
      log.info("Subject is Malware ")
      emailmessage.createAssociatedIncident(emailmessage.subject, 'owner@ibm.com')
      incident.incident_type_ids.append("Malware ")



    ------------------------------
    Elizabeth Hecht
    ------------------------------

    Original Message


  • 3.  RE: Resilient V35 Process Inbound Email Script

    Posted Tue July 21, 2020 09:54 PM
    Thanks a lot for the response, we will test using above logic.

    ------------------------------
    Sunil I B
    ------------------------------

    Original Message


Related Content