Tutorial: Processing inbound email
In this tutorial you will learn how to configure the SOAR Platform to process inbound email.
You can configure the SOAR Platform to
create new incidents or update existing incidents from incoming email. For example, you can
configure the SOAR Platform to create or update
incidents from email from SIEMs or network devices. You complete the configuration using a
combination of rules and a script, setting required permissions, and configuring an inbound email
connection in the SOAR interface.
Learning objectives
After completing the lessons in this tutorial, you will know how to:- Configure an inbound email connection.
- Set the required email-related permissions to allow users access the email inbox.
- Customize a sample email script.
- Create a rule to trigger the script.
Time required
This tutorial should take approximately 60 minutes to finish. If you explore other concepts or modify more scripts related to this tutorial, it could take longer.Conventions used in this tutorial
This tutorial is based on sample data may not necessarily reflect real data.- Lesson 1: Creating an email connection
Inbound email connections enable emails to be received by the SOAR Platform, for example, emails from a phishing threat service. Playbook designers can configure the SOAR Platform to process these emails and automatically generate incidents from the emails, or add emails to existing incidents. You can configure one or more email connections from the Organization tab. The SOAR Platform supports the IMAP email protocol. - Lesson 2: Assigning email permissions
Follow this lesson to learn how to assign permissions that allow users to view and manage emails on the Inbox tab in the IBM Security QRadar SOAR Platform . - Lesson 3: Configuring a sample email script
IBM Security QRadar SOAR Platform includes a sample script to help you begin to process incoming emails from systems such as SIEMs and network devices. - Lesson 4: Creating a rule to process the script
To run the email processing script to create or update incidents from emails, you need to create an automatic rule.