Create cases in SecOps based on received emails

Yes, use the connector from the Microsoft Graph Mail  integration - https://docs.cloud.google.com/chronicle/docs/soar/marketplace-integrations/microsoft-graph-mail#microsoft_graph_mail_connector. I have seen a few uses of the connector to monitor and ingest alerts from mailboxes used for forwarding security incidents and phishing emails.

Seems to work fine! But are you able to append additional replys / email thread to the same case?

If you configure Alerts Grouping, I would think that should group follow up replies into the same case as separate alerts. As it is an email, rather than something like a CS EDR alert, we would not have a Sync job like exists in some of the EDR integrations (ex. - https://docs.cloud.google.com/chronicle/docs/soar/marketplace-integrations/crowdstrike-falcon#sync-alerts)

I did that using the POP3/IMAP connector. I created a rule in the inbox so that if certain conditions are met, such as specific strings in the subject or body, the email is moved to a specific folder. I do this outside the SOAR. Then, I configured the connector to check only that specific folder in the mail account.

I’ll write an article explaining it when I have some free time. 😀

I use the MS Graph Connector to ingest from specific inbox folders for our email address that we assigned for the SOAR. There is an ingest configured for each folder.  I created rules to move the emails to the correct folder. And a playbook triggers on the ingest and based upon the folder that is ingested the playbook performs specific actions. 

hahaha ​@mccrilb  Are we sure we don’t already work at the same company?