In this section we will show an example of an alert that is ingested into the Chronicle SOAR platform.

  1. Insert a malicious email into the platform.
  2. copy the text below and send this email from another user:

    Subject: Your New Salary Notification

    Email body:
    Hello, You have an important email from the Human Resources Department with regards to your December 2018 Paycheck
    This email is enclosed in the Marquette University secure network.
    Access the documents here http://markossolomon.com/F1q7QX.php
    Ensure your login credentials are correct to avoid cancellations
    Faithfully
    Human Resources
    University of California, Berkeley

  3. Navigate to the ‘Testing’ tab and test your connector by clicking the button ‘Run connector once’ and view the result in the “Output” section on the right.
    If your connector runs successfully you will see an alert which is a single unread email message that the connector ingested (make sure that you have an unread email in your mailbox to insert a sample alert).
  4. You can see a preview of the email by clicking on the preview icon.
  5. After ingesting a sample alert by clicking the “Run connector once” we will ingest the alert into the case queue by selecting the alert and clicking the button ‘Load to system’.
  6. Navigate to the Cases tab and view the case you have ingested into the Chronicle SOAR platform.
  7. After the connector receives the email by translating the email data to Chronicle SOAR data we can see our alert in the “Cases” tab in the case queue.

When the case first appears in the system it is not mapped and modeled, this will be done in the next step.

Next, we will see how each field in the code corresponds to the relevant field presented in the context details in the platform itself. Click on the alert to view the Alert Context details on the right.

The field in the platform The field in the code

alert_info.name = email_message_data['Subject'] This represents the subject of the email message : “YOUR NEW SALARY NOTIFICATION”
alert_info.rule_generator = RULE_GENERATOR_EXAMPLE # The name of the siem rule which causes the creation of the alert
alert_info.ticket_id = f"{alert_id}" The email message unique id

alert_info.display_id = f"{alert_id}" The email message unique id

alert_info.device_product = PRODUCT As we defined in CONSTANTS: PRODUCT= "Mail"
alert_info.device_vendor = VENDOR As we defined in CONSTANTS: VENDOR = "Mail"
alert_info.start_time = datetime_in_unix_time alert_info.end_time = datetime_in_unix_time The time the email message was received
alert_info.priority = 60 As we defined for this alert: Informative = -1, Low = 40, Medium = 60, High = 80, Critical = 100.