Tutorial: Processing inbound email
In this tutorial you will learn how to configure Orchestration & Automation to process inbound email.
You can configure the Orchestration & Automation to
create new incidents or update existing incidents from incoming email. For example, you can
configure the Orchestration & Automation to create or update
incidents from email from SIEMs or network devices. You complete the configuration using a
combination of rules and a script, setting required permissions, and configuring an inbound email
connection in the SOAR interface.
Learning objectives
After completing the lessons in this tutorial, you will know how to:- Configure an inbound email connection.
- Set the required email-related permissions to allow users access the email inbox.
- Customize a sample email script.
- Create a rule to trigger the script.
Time required
This tutorial should take approximately 60 minutes to finish. If you explore other concepts or modify more scripts related to this tutorial, it could take longer.Conventions used in this tutorial
This tutorial is based on sample data does not necessarily reflect real data.- Lesson 1: Creating an email connection
Inbound email connections enable emails to be received by the Orchestration & Automation, for example, emails from a phishing threat service. Playbook designers can configure the Orchestration & Automation to process these emails and automatically generate incidents from the emails, or add emails to existing incidents. You can configure one or more email connections from the Organization tab. - Lesson 2: Assigning email permissions
Incoming email is displayed in the Inbox screen from Application settings > Case Management > Inbox. If emails are processed by Orchestration & Automation to create or update incidents, the emails are shown on the case Email tab, and no longer on the Inbox. Users cannot view the Inbox tab by default as permissions must be assigned. - Lesson 3: Configuring a sample email script
A sample script is available to help you to get started with incoming emails from systems such as SIEMs, network devices, and so on. To use the script, create a copy and then configure the copy to process incoming emails. - Lesson 4: Creating a rule to process the script
To run the email processing script to create or update incidents from emails, you need to create an automatic rule.