Hello all
I am working on a story where I need to create security incidents from emails received. I configured my Inbound actions as expected with the target table pointing to the security incident table
However, upon testing to make sure it works as expected, the ticket is created as expected but it is being created as an INC and not a SIR
What am I missing?
Sure...here is an example of a Malware one we use. You basically create the parser and then create field transforms which are essentially "How do you want to populate the fields on the SIR":
Here are some of the transforms if that helps:
(with the Value Prefix you can specify which words to look for in the email and grab the value after that as shown above)
Security Operations has it's own Inbound Actions called "Email Parsing". If you want to create Security Incident from emails received, you need to build your inbound action on the "Email Parser" table.
You will find more details in this post:
Sure...here is an example of a Malware one we use. You basically create the parser and then create field transforms which are essentially "How do you want to populate the fields on the SIR":
Here are some of the transforms if that helps:
(with the Value Prefix you can specify which words to look for in the email and grab the value after that as shown above)
Just wanted to touch base with you quickly on this
I have done email parser, however the ticket is still created as an INC ticket and not a SI ticket
I also wanted the assignment group to be prefilled, this field will be static with one particular assignment group.
Why is my assignment group field not populating with the assignment group I selected and why is the incident being created as INC and not SI even though
