https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/setting-up-classification-amp-mapping-for-email-ingest/m-p/511151#M1101 <P>Hi,</P> <P>&nbsp;</P> <P>Here are two different emails subject:</P> <P>1. Test email - Phishing Email</P> <P>2. Test email - Ping</P> <P>&nbsp;</P> <P>Two playbooks:</P> <P>1. Phishing Email</P> <P>2. Ping</P> <P>&nbsp;</P> <P>Currently I have setup two instances of integration "Mail Listener v2" with corresponding incident types so that phishing email will go to&nbsp; playbook - phishing email and ping email will go to playbook - ping.&nbsp;</P> <P>&nbsp;</P> <P>I am looking for setting one instance of integration "Mail Listener v2" and using classification and mapping to send the alerts into different playbooks by keywords in subject. What I am trying to do is if the email subject contains "Phishing Email" and sender is from specific sender, then it will be sent to playbook - Phishing email", and similar actions for ping.</P> <P>&nbsp;</P> <P>Does anyone know if this is possible or I have to keep using two instances for this setup? Thanks.</P> Sat, 06 Aug 2022 10:51:30 GMT ce13 2022-08-06T10:51:30Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/setting-up-classification-amp-mapping-for-email-ingest/m-p/511151#M1101 <P>Hi,</P> <P>&nbsp;</P> <P>Here are two different emails subject:</P> <P>1. Test email - Phishing Email</P> <P>2. Test email - Ping</P> <P>&nbsp;</P> <P>Two playbooks:</P> <P>1. Phishing Email</P> <P>2. Ping</P> <P>&nbsp;</P> <P>Currently I have setup two instances of integration "Mail Listener v2" with corresponding incident types so that phishing email will go to&nbsp; playbook - phishing email and ping email will go to playbook - ping.&nbsp;</P> <P>&nbsp;</P> <P>I am looking for setting one instance of integration "Mail Listener v2" and using classification and mapping to send the alerts into different playbooks by keywords in subject. What I am trying to do is if the email subject contains "Phishing Email" and sender is from specific sender, then it will be sent to playbook - Phishing email", and similar actions for ping.</P> <P>&nbsp;</P> <P>Does anyone know if this is possible or I have to keep using two instances for this setup? Thanks.</P> Sat, 06 Aug 2022 10:51:30 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/setting-up-classification-amp-mapping-for-email-ingest/m-p/511151#M1101 ce13 2022-08-06T10:51:30Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/setting-up-classification-amp-mapping-for-email-ingest/m-p/511173#M1102 <P>What you're trying to do is definitely possible with a single Mail Listener + classifier, but you may need to rethink your classification logic.</P> <P>&nbsp;</P> <P>The classifier expects that a single field (+ filter + transformer set) will produce a (mostly) fixed list of values, and those values can be mapped onto incident types. This is simple and easy to do based solely on sender or receiver email addresses - each email address value goes to a different incident type. More complex logic (e.g. "it has X in the subject AND ...") may be possible, but you'd essentially need to fight to fit it within the classifier design, rather than it fitting neatly.</P> <P>&nbsp;</P> <P>Also, since you only get a single mapper object per mail listener, if you are currently using two different mappers you'll need to combine the mappers you're currently using into a single mapper. Mappers can have incident-type-specific mappings so you won't lose any custom logic in this process but it will be a little bit of extra work.</P> Mon, 08 Aug 2022 01:04:29 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/setting-up-classification-amp-mapping-for-email-ingest/m-p/511173#M1102 chrking 2022-08-08T01:04:29Z