FortiSOAR Knowledge Base
FortiSOAR: Security Orchestration and Response software provides innovative case management, automation, and orchestration. It pulls together all of an organization's tools, helps unify operations, and reduce alert fatigue, context switching, and the mean time to respond to incidents.
snikam
Staff
Staff
Article Id 240748
Description This article describes how to use the Email Notification Service (listener based ingestion) of the Exchange connector.
Scope FortiSOAR Exchange Connector.
Solution

The Email Notification Service (Listener based ingestion) is a service which allows users to trigger ingestion of unread emails from a specific folder as soon as they hit the mailbox.

 

To configure it:

  1. Configure the Exchange connector and select the Configure Data Ingestion button.
  2. Make sure the folder intended for monitoring has at least one unread email.
  3. Select the folder from the drop-down menu (or enter the folder name in the Source field if a custom folder is in use) and select fetch data.
  4. Once data has been fetched, add or edit mapping as appropriate, select next. Do not schedule the ingestion. After, select next.

Note: Playbook links can be seen on the summary page. Optionally, open the ingest playbook in a new tab.

 

  1. Save the data ingestion settings.
  2. On the exchange connector configuration page, select the 'Enable Email Notification Service' checkbox.
  3. Enter the same folder name as the folder name entered during the ingestion wizard in the 'Folder Path to Monitor' field.
  4. Add a custom listener port (or keep the default).
  5. Fill in the 'Playbook Trigger' field. This field specifies the API trigger of the 'Ingest' playbook from the respective ingestion collection.
  6. Save the configuration.

 

Troubleshooting Steps


In the FortiSOAR command line, ssh as the root user.

  1. Check whether tbe listener has started on a specific port with the following command:


# lsof -i:<port given on configurations>

  1.  Update the log level of listener in notify_email.py.

 

In FortiSOAR version 7.3.0 or above:


# vi /opt/cyops/configs/integrations/connectors/exchange_4_0_0/scripts/notify_email.py

In version 7.2.2 or below:


# vi /opt/cyops-integrations/integrations/connectors/exchange_4_0_0/scripts/notify_email.py


Update the logger level to DEBUG by editing the following line in the notify_email.py file:


logger.setLevel(logging.ERROR)

 

After, save the file and restart uwsqi:


# systemctl restart uwsgi

  1. Check listener logs. Listener logs provide details such as the following:
  • Whether the listener is still active. The per minute logs will be visible in the below log file if so.
  • Which folder the listener is monitoring
  • A count of unread emails

Log file location:

 

/var/log/cyops/cyops-integrations/exchange/exchange_listener.log

 

Multiple Configuration Support
The user can schedule multiple notification services each for respective configuration. In this case, a separate ingestion playbook collection will be created for each configuration.


Consider an example where there are two configurations which are using the Email Notification Service:

  1. config1 with "Playbook Trigger" entered as fetch_emails_exchange_inbox to monitor Inbox folder
  2. config2 with "Playbook Trigger" entered as fetch_emails_exchange_draft to monitor Draft folder


Here, it is necessary to update the API trigger specified at the trigger (start) step of the ingest playbook. It should match the 'Playbook Trigger' field of the respective configuration.

This will ensure every configuration will trigger the separate ingestion playbook.

Open the ingestion playbook of the config1 collection.
Open the start step and update the Route field to 'fetch_emails_exchange_inbox' and save the playbook.

Similarly, open the ingest playbook of the config2 collection.
Open the start step and update the Route field to 'fetch_emails_exchange_draft' and save the playbook.