IBM Security QRadar SOAR

 View Only
  • 1.  Process inbound email

    Posted Thu July 21, 2022 08:47 AM
    Hello,

    I use default script "Process Inbound email" to associate inbound email with incidents or create new incidents.
    I started to catch if someone send email to closed incident - a new incident creates. Maybe more correct is reopen existed incident?



    ------------------------------
    Alexey Fedorov
    ------------------------------


  • 2.  RE: Process inbound email

    Posted Tue August 23, 2022 08:51 AM
    Hi Alexey , 

    are you using the default script.
    this might be possible by changing the incident status when the script branches to 

    emailmessage.associateWithIncident()

    ------------------------------
    mohamad islam hamadieh
    ------------------------------



  • 3.  RE: Process inbound email

    Posted Tue August 23, 2022 08:51 AM
    Hi Alexey , 

    you can edit the default script to change the incident status when branching to : 

    emailmessage.associateWithIncident()

    you have also to remove :
    query_builder.equals(fields.incident.plan_status, "Active")
    from your query builder

    ------------------------------
    mohamad islam hamadieh
    ------------------------------



  • 4.  RE: Process inbound email

    Posted Tue June 20, 2023 08:22 AM

    Hi! How are inbound emails linked to an existing incident put within the conversations data table? I send an email through a task and it works. It reply to this email and the email creates a new incident instead of being added to the data table of an existing incident. I use

    https://github.com/ibmresilient/resilient-community-apps/tree/main/sc_email_parser

    Outbound Version 2.0.2 App is also there.

    I also changed the value to True as documented

    If you are using Outbound Email 2.0 or greater, you can edit this script to enable the logic to populate the inbound email message into the incident's Email Conversations datatable. Modify line 10, SAVE_CONVERSATION = True, to perform this action

    Have I slipped up somwhere?



    ------------------------------
    BrunoMarX
    ------------------------------



  • 5.  RE: Process inbound email

    Posted Wed June 21, 2023 02:05 AM

    Hi BrunoMarX , 

    the link you provided is not working.



    ------------------------------
    mohamad islam hamadieh
    ------------------------------



  • 6.  RE: Process inbound email

    Posted Wed June 21, 2023 11:16 AM

    Hey! I just checked the link and its working:

    https://github.com/ibmresilient/resilient-community-apps/tree/main/sc_email_parser

    it's within the resilient github repository:

    https://github.com/ibmresilient/resilient-community-apps ---> 



    ------------------------------
    BrunoMarX
    ------------------------------