I originally posted this on Reddit, and it was suggested that I bring this over here to see if we might be able to get some more feedback on the issue. (Original Reddit Post)
Here is a copy/paste of what I put in that original post.
I realize that I may be asking for something that's just not easily done.
We have an MSSP that uses ConnectWise, and we are finding that there are quite a few emails that we wind up getting sent from them. Most of the emails/tickets from them have to do with their analysis on emails reported via the "Cofense Phish Report" button, occasionally some emails related to intervention needed in regards to our EDR client that they manage as well.
Since the emails regarding the Phishing analysis can be handled by more than one of us, plus it would be nice to have some analytics - we were trying to get it so that basically when the email/ticket was sent out via their connectwise, it would go into iIQ.
Initially the two systems of course started emailing each other back and forth causing all sorts of issues. So we got around that (hopefully), by having them actually create a locally authenticated user for iIQ and configured all of the email settings to prevent alerting or anything like that.
After they made that change at least for the previously opened tickets we started getting all sorts of errors, which apparently we were not able to replicate when I contacted iIQ for support on the matter. The error message is in the quote block below
Your email with the subject Your open ticket #110099 Ticket System Integration could not be parsed by IncidentIQ. The reason it failed is: RelatedTicketDetail is invalid. Please verify the FROM email address matches the username or email you have registered in IncidentIQ, and that you are sending the email to the correct address.
So, I am basically wondering if it's not really worth it, as much as that would be nice, because we are trying to make the system do something it's not really wanting to do??? Or is it just perhaps a minor adjustment to the email to ticket rules to get things working the way we want.
Over at reddit the suggestion was to use tickets@districtname].incidentiq.com as the target email address.
I am attaching an obfuscated screenshot showing the rules that I have already built. This way I can keep flexibility for building future email to ticket rules if we wanted to.
I provided our MSSP with a custom email which is in the format of $VendorUniqueValue@$DistrictName.incidentiq.com
The second rule uses their companies email domain as a catch all rule.
I mean we could try and turn it on again, and see what happens but I am just worried that we may still not get the intended results. Especially fi they attempted to update the connectwise ticket on their end, because that would likely just create a *new* ticket in incidentIQ, not figure out the original communication. Since I am also realizing that there is only a limited amount of customization to workflows that can be done on their end with Connectwise without making it a significantly undue burden, I don’t know if I can have them send “single and closed alerts to our platform for *only* cofense tickets, and keep everything else outside of iIQ
So before I throw in the towel totally, does anyone else have any ideas?