Is there a way to fire a Qradar offense when an email is received for a specific email account? I've been looking around for bash scripts that would save email to a flat text file, but was wondering if anyone else has done this?
Answer by Cuong Do (31) | May 02, 2018 at 01:27 AM
Yes, You can create the custom properties (sender/recipent) for mail log source (i.e : Exchange Mailbox, Zimbra mail). Rule Wizard support conditional like " and when any of these event properties are contained in any of these reference set(s)"
"and when any of these properties match this regular expression"
You should combine one of above conditional with event name (qid) match with mail sent/received
If you don't like create new custom properties, you can use this conditional " and when the Event Payload contains this string"