Hello Ryan,
There are several ways to implement your scenario.
1- Write and schedule(cron or task scheduler) a script that gets emails from SOAR and opens ticket on ServiceNow.
You can use below endpoint for SOAR. You must send a payload which contains filter as timerange, mail subject, sender etc.
POST - /orgs/{org_id}/email/inbox/messages/query_paged
2- This option is more complex than first one. You can develop a workflow. But first, you need a function that gets emails from SOAR. I am not sure that there is an app on ibm exchange app market. If not exists, you should develop an app to implement this. Another requierment is
ServiceNow functions.
The design may be like below.
Then, you should create a rule that triggers based on a condition(simply, it may be an incident field). After that, you may trigger that condition with two different ways. First one is you can trigger with API from outside of SOAR. Another trigger way is you can use scheduler app for that. For second way, you need to have a dummy incident with should be always active.
Finally :)
If i were you, i prefer first option to make this.
------------------------------
Burak Karaduman
------------------------------
Original Message:
Sent: Wed June 15, 2022 01:11 PM
From: Ryan Terry
Subject: Trigger playbook from number of inbound emails over certain period of time
Does anyone know of a way to trigger a Playbook or other action based on the number of inbound emails received by SOAR over a certain period of time?
Our use case: If we receive x amount of phishing reports over y time then open a high priority ticket in Service Now.
------------------------------
Ryan Terry
------------------------------