Create SI from emails received

newbie_05 · ‎06-09-2023

Hello all

I am working on a story where I need to create security incidents from emails received. I configured my Inbound actions as expected with the target table pointing to the security incident table

However, upon testing to make sure it works as expected, the ticket is created as expected but it is being created as an INC and not a SIR

What am I missing?

Steven Parker · ‎06-09-2023

Sure...here is an example of a Malware one we use. You basically create the parser and then create field transforms which are essentially "How do you want to populate the fields on the SIR":

Here are some of the transforms if that helps:

(with the Value Prefix you can specify which words to look for in the email and grab the value after that as shown above)

Please mark this response as correct and/or helpful if it assisted you with your question.
Steven

View solution in original post

Steven Parker · ‎06-12-2023

Are you sure your other normal inbound action is disabled and isn't creating a record on the Incident table? Email Parser by default creates records on the sn_si_incident table as shows in the "Destination Table" field in your screenshot above.

As for Assignment Group, we use the same group for every SI Incident, but I assume you would choose that field, always a static value, and then place the sys_id of the assignment group in the static value field?

Please mark this response as correct and/or helpful if it assisted you with your question.
Steven

newbie_05 · ‎06-09-2023

thank you so much