IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

Trigger playbook from number of inbound emails over certain period of time

  • 1.  Trigger playbook from number of inbound emails over certain period of time

    Posted Wed June 15, 2022 01:12 PM

    Does anyone know of a way to trigger a Playbook or other action based on the number of inbound emails received by SOAR over a certain period of time?
    Our use case: If we receive x amount of phishing reports over y time then open a high priority ticket in Service Now.



    ------------------------------
    Ryan Terry
    ------------------------------


  • 2.  RE: Trigger playbook from number of inbound emails over certain period of time

    Posted Thu June 16, 2022 08:48 AM
    Hello Ryan,

    There are several ways to implement your scenario. 

    1- Write and schedule(cron or task scheduler) a script that gets emails from SOAR and opens ticket on ServiceNow. 
    You can use below endpoint for SOAR. You must send a payload which contains filter as timerange, mail subject, sender etc. 
    POST - /orgs/{org_id}/email/inbox/messages/query_paged

    2- This option is more complex than first one. You can develop a workflow. But first, you need a function that gets emails from SOAR. I am not sure that there is an app on ibm exchange app market. If not exists, you should develop an app to implement this. Another requierment is ServiceNow functions.

    The design may be like below.



    Then, you should create a rule that triggers based on a condition(simply, it may be an incident field). After that, you may trigger that condition with two different ways. First one is you can trigger with API from outside of SOAR. Another trigger way is you can use scheduler app for that. For second way, you need to have a dummy incident with should be always active.

    Finally :)

    If i were you, i prefer first option to make this.

    ------------------------------
    Burak Karaduman
    ------------------------------

    Original Message