Steps to enable Email-based Alerts Ingestion
In order to start ingesting alerts from SIEM through Email, you need to create a new ingestion source and enable it.
Go to the Administration section from the left-hand navigation bar
Go to Apps > Ingestion Sources
Click on Add Source
4. Fill the fields in the popup form as shown in the image above:
Name: Email (This can be any name to distinguish this ingestion source)
Ingestion Method: Email
Ingestion Type: Incident (Because we want to ingest alerts into our Incident Management module)
Widget Name: Leave blank
Frequency: Every 5 min
Opened By: Select a user from the dropdown (Optional)
Applications: Select the Email application
Actions: Select parse_json_format_emails
Folder Name: SIEM Alerts (This can be any folder where you will save all the alerts from SIEM in Gmail. First create this folder in your email box)
Sender Information: Any reference text that you can use in the future (Optional)
Read selective emails: Leave disabled (This option is used to configure if you want to fetch emails with a certain text in the subject.)
Prepend Enter “[Email] “ (Note the extra space at the end. This is the text that will be automatically prepended to every alert ingested through this ingestion source.
Append: Leave blank (This is the text that will be automatically appended to every alert ingested through this ingestion source.
5. Click the Create button to create the new ingestion source.
6. The last step after creating an ingestion source is mapping the data fields ingested from the email box with the fields available in SIRP. After you create the ingestion source, you will get a new configuration icon under the Actions column. Click on the icon to configure the fields.
7. For Example below is the sample of the QRadar payload, which was triggered after rule was triggered.
"RuleName": "RTX: Card Pro Stopped Sending Events",
"Source IP(s) / Hostname(s)": "172.24.3.207",
"Source Port": "0",
"Destination IP(s) / Hostname(s)": "0.0.0.0",
"Destination Port": "0",
"EventName": "Log source 'Card Pro (Reporting System) || PRI - OS @ 172.24.3.207 (172.24.3.207)' has stopped emitting events",
"EventDescription": "A device has stopped emitting events",
"Category": "Service Disruption",
"LogSourceName": "Card Pro (Reporting System) || PRI - OS @ 172.24.3.207",
"Payload": 'Log source 'Card Pro (Reporting System) || PRI - OS @ 172.24.3.207 (172.24.3.207)' has stopped emitting events ',
"Attack Date": "Feb 28, 2021 7:18:04 PM PKT"
Map field items and match it with the payload.
8. Configure the field mapping as shown in the following screenshot and click Save.
After enabling the ingestion source, SIRP will start to call the Email box every 5 minutes to check for any new and custom alerts. If SIRP finds any custom alerts, it will start ingesting the records within its database.
The results will be visible in the Incident Management module. The Alerts tab will list all the ingested alerts.