02-12-2026 12:08 AM
In XSIAM, we need a way for analysts to send email updates at different stages of an incident — like when it is received, contained, and recovered.
Each case should have its own email chain that includes all previous emails for that case.
To support this, we have added a button in the case template where analysts can write and send emails. When they send emails from the same case, it should continue the email chain instead of sending separate, new emails each time.
Does anyone know how to set this up? Or is there a content pack in XSIAM that can help?
02-12-2026 04:31 AM - edited 02-15-2026 07:55 PM
Hello! openskycc
In XSIAM, you can set this up by linking the “Send Email” button in your case template to a playbook that uses the same incident ID and references the original message ID, so each update continues the same thread. Communication‑related content packs in the Cortex Marketplace (email integrations and incident communication workflows) can help, but if none fit exactly, you can adapt an existing email playbook to ensure all emails from a case stay in one chain.
02-15-2026 11:09 PM
Hi ..I tried using the “Send Email” option, but it isn’t working and the original message ID isn’t available. If you have tested this earlier, could you pls share more details, maybe with screenshots?
From the Cortex Marketplace, I'm unable see email integrations or incident communication workflows. Any help would be appreciated.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
