Original Message:
Sent: Mon June 17, 2024 08:09 AM
From: Gilbert Liao
Subject: Automatic Incident Response to Notify User via IBM SOAR
Hi,
From your 1st screenshot, it seems that your Network Administrator stores the user email to artifact's value but in your 2nd screenshot the automatic activation condition is set to "if artifact.description contains @iopex.com",
you should change it to "if artifact.value contains @iopex.com"
.
After that, you will need to setup the "Outbound Email: Send Email" fucntion inputs, such as who the mail should send to, who the mail from, what's the mail subject and mail body etc.. There are two ways to setup the values, 1) assign values in each field, the "Fields" tab, or 2) write a script, the "Script" tab
Here is example that uses a script (python language) to setup the input values.
inputs.mail_incident_id = incident.idinputs.mail_from = "admin@iopex.com"inputs.mail_to = artifact.valueinputs.mail_subject = "Continuous login fail deteced"inputs.mail_body_html = "Warning! you have failed login to the system more than 5 times.<br/>" \"Please check your password or reset your password if it's not you. Otherwise your account will be locked."
A screenshot of this example,
![](https://dw1.s81c.com//IMWUC/MessageImages/8d125964891e4fb18736dda1fc3051a9.png)
You can change it per your requirements.
IBM QRadar SOAR's playbook is highly customizable, there are playbook intrductions and demos available on the internet, you can check them out. For examples, https://youtu.be/r6wTZn8ruRE?t=2165 or https://youtu.be/aN-dHMhhSbU?t=212
Or SOAR official online docs. https://www.ibm.com/docs/en/sqsp/51?topic=toolkit-playbook-designer
------------------------------
Gilbert Liao
Original Message:
Sent: Fri June 14, 2024 03:29 AM
From: SOC Team
Subject: Automatic Incident Response to Notify User via IBM SOAR
Hello Gilbert,
Thanks for sharing the detailed information and we have tried the same mechanism to configure the automatic playbook and still we are stuck with achieve the results. Below are the details of the activation type and email conditions. Also, ill share the scenario below.
Scenario:
------------------------------
SOC Team
Original Message:
Sent: Wed June 12, 2024 07:04 AM
From: Gilbert Liao
Subject: Automatic Incident Response to Notify User via IBM SOAR
Hi SOC Team,
I can think of one way to achieve your need.
- When the unsuccessful login attempts is detected and an incident is created, you can create a User Account type (or create your own type) artifact to store the user information (e.g., email) and add some notes to artifact's description. e.g. "Unsuccessful login attempts detected user"
- Install and configure Outbound Email app https://exchange.xforce.ibmcloud.com/hub/extension/caafba4e4f6d130e7db30ed4d5e53504
- Create an automatic playbook
- Select artifact as the Object type
- Create activation condition that define the criteria to trigger the playbook when artifact is added
- Add "Outbound Email: Send Email" function node to the playbook and configure its inputs, e.g., set the "mail to" field to "artifact.value" or use script to setup those input fields., e.g.,
![](https://dw1.s81c.com//IMWUC/MessageImages/2e6c2c35938b4a118e6493f3cab6221a.png)
- You can check the playbooks included in the Outbound Email app, e.g., "Send Incident Email Text (PB) Example" as an example.
When the User Account artifact is created and meets the activation condition, the playbook will be triggered and the email will be sent to the user.
Hope this help.
------------------------------
Gilbert Liao
Original Message:
Sent: Fri June 07, 2024 08:01 AM
From: SOC Team
Subject: Automatic Incident Response to Notify User via IBM SOAR
hello, In particular situation, an incident was initiated when an internal user made several unsuccessful login attempts. Consequently, we will obtain the user's name or email address for this specific scenario. Presently, we are trying to automatically send the offense details to the internal user using either their user id or email artifact. So, how can we achieve this ?
------------------------------
SOC Team
Original Message:
Sent: Thu June 06, 2024 03:52 PM
From: AnnMarie Norcross
Subject: Automatic Incident Response to Notify User via IBM SOAR
Can you explain a little more what you are trying to do?
When a QRadar incident is create in SOAR an email should be send to a user automatically using outbound email?
What does "irrespective of manual outbound email" mean?
------------------------------
AnnMarie Norcross
Original Message:
Sent: Thu May 23, 2024 08:13 AM
From: SOC Team
Subject: Automatic Incident Response to Notify User via IBM SOAR
Hello Team,
We are looking forward to automate an incident with event details to be sent to Respective user via email from the artifact. Is there any way or work around for this request.
Example: When an incident received to IBM SOAR from QRadar and the SOAR need to act to send an Incident email to the respective user irrespective of manual outbound email.
Thanks!
SOC Team
------------------------------
SOC Team
------------------------------