Lesson 3: Configuring a sample email script

IBM Security® QRadar® SOAR includes a sample script to help you begin to process incoming emails from systems such as SIEMs and network devices.

The sample script processes the email in the following way:
  • Checks for an existing incident where the incident title reflects the subject of the email message received. If it finds one, the email message is associated with the existing incident. Otherwise, it creates a new incident with a suitable title.
  • Parses the email body text for URLs, IP addresses, and file hashes. After filtering out invalid and allowlist values, it adds the remaining data to the incident as artifacts.
  • Adds non-inline email message attachments to the incident.

To configure the email script, follow these steps:

Procedure

  1. Navigate to Customization Settings > Scripts and open the Sample script: process inbound email script.
  2. Create a copy of the script and edit it.
    1. Search for the incident owner on line 9 and change to specify your preferred incident owner.
    2. Optionally, from the allowlist section from line 12, you can add allowlists for known IP addresses or IP ranges and domains that you do not want to be processed or added as artifacts.
  3. Save the modified script.

Results

The script is now ready to process inbound emails. You can add additional scripts to process different email types.

Lesson checkpoint

In this lesson, you learned how to customize a sample email script to process inbound emails.

You learned the following:
  • How to specify the incident owner for new incidents created by the script.
  • How to add allowlists for IP address and IP ranges.