Basic, I think, SOAR question related to actions based on 3rd party detections
We are a Mimecast shop. We have NG-SIEM ingesting from Mimecast. We regularly get detections where Mimecast has blocked an attachment or some other successful block action. We want to have a workflow that takes the domain of the sender and add it to Zscaler.
When I create a workflow with the trigger being a 3rd Party NG-SIEM detection, I can’t find a way to have the fields exposed that I need for the action.
It’s usually something like sender.domain
I know the data is there because I can see it in the detection as well as in the raw results of a search.
This shouldn’t be this difficult!