This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Setting up classification & mapping for email ingest

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Setting up classification & mapping for email ingest

ce13
L1 Bithead

‎08-06-2022 03:51 AM

Hi,

 

Here are two different emails subject:

1. Test email - Phishing Email

2. Test email - Ping

 

Two playbooks:

1. Phishing Email

2. Ping

 

Currently I have setup two instances of integration "Mail Listener v2" with corresponding incident types so that phishing email will go to  playbook - phishing email and ping email will go to playbook - ping. 

 

I am looking for setting one instance of integration "Mail Listener v2" and using classification and mapping to send the alerts into different playbooks by keywords in subject. What I am trying to do is if the email subject contains "Phishing Email" and sender is from specific sender, then it will be sent to playbook - Phishing email", and similar actions for ping.

 

Does anyone know if this is possible or I have to keep using two instances for this setup? Thanks.

0 Likes Likes
1 REPLY 1

chrking
L3 Networker

‎08-07-2022 06:04 PM

What you're trying to do is definitely possible with a single Mail Listener + classifier, but you may need to rethink your classification logic.

 

The classifier expects that a single field (+ filter + transformer set) will produce a (mostly) fixed list of values, and those values can be mapped onto incident types. This is simple and easy to do based solely on sender or receiver email addresses - each email address value goes to a different incident type. More complex logic (e.g. "it has X in the subject AND ...") may be possible, but you'd essentially need to fight to fit it within the classifier design, rather than it fitting neatly.

 

Also, since you only get a single mapper object per mail listener, if you are currently using two different mappers you'll need to combine the mappers you're currently using into a single mapper. Mappers can have incident-type-specific mappings so you won't lose any custom logic in this process but it will be a little bit of extra work.

0 Likes Likes
  • 1335 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks