Usually into the company where we act as security operation we found a mailbox named irt,cert,csirt ecc where all indicidents arrives and it’s used also to communicate with users.
With new (good!) policies it’s no more possibile to connect using IMAP to account mail so we’re not able to retrieve incidents.
Into this account we normaly found:
firewall / IPS alert
incident notification from various source (also human)
So we’ve developed a script using Google script that send to our TheHive (incident response platform) every message that come into mailbox.
By using content in subject and body it can detect the case template (Phishing, Antivirus, Vulnerability, locked account..) and import all observables like IP, URL, DOMAIN, HASH to be analyzed with Cortex
To detect also the entired thread and replies from users it use reference header to link at the same case.