https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/how-to-handle-high-volume-email-events-in-xsoar-without/m-p/1235988#M4130 <P>Hello guys,</P> <P>I am currently working on <STRONG>Use Case </STRONG>for my organization to handle <STRONG>email threats</STRONG> that bypass our Trend Micro Email Security (TMS) gateway.</P> <H3><STRONG>Context</STRONG></H3> <UL> <LI> <P>My organization uses <STRONG>Trend Micro Email Security</STRONG> as the email gateway.</P> </LI> <LI> <P>Some <STRONG>phishing, spam, and malware emails</STRONG> still bypass TMS filtering and reach user inboxes.</P> </LI> <LI> <P>These emails are logged in <STRONG>Splunk</STRONG> from TMS.</P> </LI> <LI> <P>We want to integrate <STRONG>Splunk → XSOAR → TMS</STRONG> so that:</P> <OL> <LI> <P>Emails that bypass TMS are analyzed in XSOAR.</P> </LI> <LI> <P>XSOAR classifies them as <STRONG>phishing</STRONG>, <STRONG>spam</STRONG>, or <STRONG>malware</STRONG>.</P> </LI> <LI> <P>Based on the classification, XSOAR sends an <STRONG>action back to TMS</STRONG> via API (block sender/domain or quarantine email).</P> </LI> </OL> </LI> </UL> <HR /> <H3><STRONG>The Challenge</STRONG></H3> <P>The email volume is extremely high. In one hour, there can be <STRONG>over 100,000 events</STRONG> from TMS logs.</P> <P>As XSOAR is <STRONG>incident-driven</STRONG>, each fetched event will be created as an <STRONG>incident</STRONG> before the playbook runs.<BR />If we let all these events become incidents, the system will consume a huge amount of resources, which is not efficient since our main goal is only to <STRONG>identify and take action</STRONG> on malicious/spam emails.</P> <P>We want to know:</P> <UL> <LI> <P>Is there a way to <STRONG>pre-filter</STRONG> or <STRONG>batch process</STRONG> these events <STRONG>before</STRONG> they are turned into incidents?</P> </LI> <LI> <P>Can XSOAR fetch from Splunk (or API) using <STRONG>query filters</STRONG> to reduce the number of incidents created?</P> </LI> <LI> <P>Is there a recommended <STRONG>best practice</STRONG> for handling high-volume events like this in XSOAR?</P> </LI> </UL> <PRE><CODE class="language-json"> </CODE></PRE> <HR /> <H3><STRONG>Expected Outcome</STRONG></H3> <UL> <LI> <P>Reduce incoming email events so that XSOAR only processes those with a <STRONG>high probability spam</STRONG>.</P> </LI> <LI> <P>Possibly <STRONG>group multiple events</STRONG> into a single incident for batch processing.</P> </LI> <LI> <P>Still be able to send final actions (block/quarantine) back to TMS after classification.</P> </LI> </UL> <P>Any guidance, suggestions, or reference playbooks from the community would be highly appreciated.</P> <P>Thanks in advance!</P> Thu, 14 Aug 2025 09:48:51 GMT A.MuharramIshaq 2025-08-14T09:48:51Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/how-to-handle-high-volume-email-events-in-xsoar-without/m-p/1235988#M4130 <P>Hello guys,</P> <P>I am currently working on <STRONG>Use Case </STRONG>for my organization to handle <STRONG>email threats</STRONG> that bypass our Trend Micro Email Security (TMS) gateway.</P> <H3><STRONG>Context</STRONG></H3> <UL> <LI> <P>My organization uses <STRONG>Trend Micro Email Security</STRONG> as the email gateway.</P> </LI> <LI> <P>Some <STRONG>phishing, spam, and malware emails</STRONG> still bypass TMS filtering and reach user inboxes.</P> </LI> <LI> <P>These emails are logged in <STRONG>Splunk</STRONG> from TMS.</P> </LI> <LI> <P>We want to integrate <STRONG>Splunk → XSOAR → TMS</STRONG> so that:</P> <OL> <LI> <P>Emails that bypass TMS are analyzed in XSOAR.</P> </LI> <LI> <P>XSOAR classifies them as <STRONG>phishing</STRONG>, <STRONG>spam</STRONG>, or <STRONG>malware</STRONG>.</P> </LI> <LI> <P>Based on the classification, XSOAR sends an <STRONG>action back to TMS</STRONG> via API (block sender/domain or quarantine email).</P> </LI> </OL> </LI> </UL> <HR /> <H3><STRONG>The Challenge</STRONG></H3> <P>The email volume is extremely high. In one hour, there can be <STRONG>over 100,000 events</STRONG> from TMS logs.</P> <P>As XSOAR is <STRONG>incident-driven</STRONG>, each fetched event will be created as an <STRONG>incident</STRONG> before the playbook runs.<BR />If we let all these events become incidents, the system will consume a huge amount of resources, which is not efficient since our main goal is only to <STRONG>identify and take action</STRONG> on malicious/spam emails.</P> <P>We want to know:</P> <UL> <LI> <P>Is there a way to <STRONG>pre-filter</STRONG> or <STRONG>batch process</STRONG> these events <STRONG>before</STRONG> they are turned into incidents?</P> </LI> <LI> <P>Can XSOAR fetch from Splunk (or API) using <STRONG>query filters</STRONG> to reduce the number of incidents created?</P> </LI> <LI> <P>Is there a recommended <STRONG>best practice</STRONG> for handling high-volume events like this in XSOAR?</P> </LI> </UL> <PRE><CODE class="language-json"> </CODE></PRE> <HR /> <H3><STRONG>Expected Outcome</STRONG></H3> <UL> <LI> <P>Reduce incoming email events so that XSOAR only processes those with a <STRONG>high probability spam</STRONG>.</P> </LI> <LI> <P>Possibly <STRONG>group multiple events</STRONG> into a single incident for batch processing.</P> </LI> <LI> <P>Still be able to send final actions (block/quarantine) back to TMS after classification.</P> </LI> </UL> <P>Any guidance, suggestions, or reference playbooks from the community would be highly appreciated.</P> <P>Thanks in advance!</P> Thu, 14 Aug 2025 09:48:51 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/how-to-handle-high-volume-email-events-in-xsoar-without/m-p/1235988#M4130 A.MuharramIshaq 2025-08-14T09:48:51Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/how-to-handle-high-volume-email-events-in-xsoar-without/m-p/1237930#M4147 <P>You can use preprocess rules sections and filter out the similar events based on certain fields.&nbsp;<BR />Ensure that the fields are mapped correctly through the mapper.</P> Sun, 14 Sep 2025 18:05:01 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/how-to-handle-high-volume-email-events-in-xsoar-without/m-p/1237930#M4147 pagnihot 2025-09-14T18:05:01Z