Is it possible that I can ingest for emails coming in via the microsoft graph mail connector as separate events in an existing case rather than generating an new case for the email? If so, what are the methods needed to implement this solution?
Connectors - how to ingest an item coming in as an event under an alert instead of a new case?
+1
+2You can utilize alert grouping rules to group the individual alerts into a single case. You are also able to define some of the fields that can then be used for grouping in the connector configuration.
https://cloud.google.com/chronicle/docs/soar/investigate/working-with-alerts/alert-grouping-mechanism-admin?hl=en
+1You can utilize alert grouping rules to group the individual alerts into a single case. You are also able to define some of the fields that can then be used for grouping in the connector configuration.
https://cloud.google.com/chronicle/docs/soar/investigate/working-with-alerts/alert-grouping-mechanism-admin?hl=en
Instead of grouping alerts, I am wondering if it is possible to create events under an alert.
+2Instead of grouping alerts, I am wondering if it is possible to create events under an alert.
The connector as written is set up to create Alerts for each email and its attachments and does not have the ability to change to Events per each email. This is possible by customizing the connector to ingest multiple emails at a time as events and group them into a single alert as a workaround.
+12Instead of grouping alerts, I am wondering if it is possible to create events under an alert.
No you would ingest something new as an Alert (with Events being the parts that made the Alert happen to begin with).
I would as why you want them to be different Events? Maybe the workflow is something we can analyse instead?
+1No you would ingest something new as an Alert (with Events being the parts that made the Alert happen to begin with).
I would as why you want them to be different Events? Maybe the workflow is something we can analyse instead?
The customization/workaround that @TDRez mentioned is what I'm hoping to do and receive some guidance around. Should have specified that I don't expect this to be something OOTB. To answer your question, @SoarAndy I'm trying to have 1 email thread = 1 alert (and then all subsequent replies/emails under that thread as events), versus 1 email = 1 alert (which is OOTB). I have already built out something custom that effectively does this but does not group the replies to the thread under the same alert as events. Because of the volume of emails we receive, it would be easier for us to view the whole thread in the custom way I mentioned rather than the way it is handled OOTB.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.