Re: Send email when a case is raised to an inciden...

hackermartin017 · 09-17-2024 12:46 AM

Hi I'm new to Google SecOps and need some guidance please?

I need to be able to send an email whenever a case is raised to an incident. I assume that a playbook will be required using the Send Email action from the Emailv2 integration but am unclear on how to trigger the playbook. We are using the Customer Configuration in Settings > Advanced > Email Settings.

If anyone could provide a sample playbook or details on how to achieve this I would be grateful.

Regards,

ionutm

@hackermartin017 This is achieved by using an Action in your playbook like in the example of the documentation: https://cloud.google.com/chronicle/docs/soar/respond/working-with-playbooks/using-actions-in-playboo... First you use trigger to alert: https://cloud.google.com/chronicle/docs/soar/respond/working-with-playbooks/using-actions-in-playboo... then you move to action.

Here are also the details to build your first playbook: https://cloud.google.com/chronicle/docs/soar/respond/start-developing/my-first-automation

gsec

Hey,
that could be a way to do this

1. Use a Tools - Get Case Data in your playbook to get information about the Case
-> you need "mark as incident" as status. Grab this with the expression builder
2. Build a Condition based on the output from Tools - Get Case Data
3. YES Branch -> Siemplify - Raise Incident -> Send Email;
For Else Branch add a Comment to give information

Regards,

hackermartin017

Thanks this is very helpful, will investigate further.

Send email when a case is raised to an incident