IdentifyAttachedEmail

Identify whether the incident includes an email message attached as an eml or msg file and return the answer to playbook. Also saves the identified entry ID to context for use for later. Commonly used in automated playbooks that handle phishing reports sent to a special phishing mailbox set up by the security team.

python · Common Scripts

Source

import demistomock as demisto
from CommonServerPython import *

# file info types which identify emails
CONFIDENT_EMAIL_INFOS = {
    "cdfv2 microsoft outlook message",
    "rfc 822 mail",
    "smtp mail",
    "multipart/signed",
    "news or mail text",
}

EMAIL_FILE_TYPES = ("eml", "eml}", "message/rfc822")


# IMPORTANT: If you modify the logic here make sure to update ParseEmailFiles too
def is_email(file_metadata: dict, file_name: str) -> bool:
    file_info = file_metadata.get("info", "").strip().lower()
    file_name = file_name.strip().lower()
    file_type = file_metadata.get("type", "").strip().lower()
    return any(
        (
            not file_info and file_type in EMAIL_FILE_TYPES,
            not file_type and any(info in file_info for info in CONFIDENT_EMAIL_INFOS),
            file_type in EMAIL_FILE_TYPES and any(info in file_info for info in CONFIDENT_EMAIL_INFOS),
            file_name.endswith(".eml") and ("text" in file_info or file_info == "data"),
            file_name.endswith(".msg")
            and ("composite document file v2 document" in file_info or "cdfv2 microsoft outlook message" in file_info),
        )
    )


def get_email_entry_id(entry: dict) -> None | str:
    """
    Return entry ID if this is an email entry otherwise None

    Arguments:
        entry {dict} -- Entry object as returned from getEntries or getEntry
    """
    if isinstance(entry, dict):
        file_metadata = entry.get("FileMetadata", {})
        name = entry.get("File", "")
        if is_email(file_metadata, name):
            return entry.get("ID")
    return None


def identify_attached_mail(args):
    entries: list[dict] = []
    entry_ids = args.get("entryid")
    if entry_ids:
        if isinstance(entry_ids, STRING_TYPES):
            # playbook inputs may be in the form: [\"23@2\",\"24@2\"] if passed as a string and not array
            entry_ids = entry_ids.strip().replace(r"\"", '"')  # type:ignore
        entry_ids = argToList(entry_ids)

        if is_xsiam_or_xsoar_saas():
            entry_ids_str = ",".join(entry_ids)
            entries = demisto.executeCommand("getEntriesByIDs", {"entryIDs": entry_ids_str})
        else:
            for ent_id in entry_ids:
                res = demisto.executeCommand("getEntry", {"id": ent_id})
                if not is_error(res):
                    entries.append(res[0])
    else:
        entries = demisto.executeCommand("getEntries", {"filter": {"categories": ["attachments"]}})

    if not entries:
        return "no", None

    entry_ids = list(filter(None, map(get_email_entry_id, entries)))
    if entry_ids:
        # leave the following comment as server used it to detect the additional context path used beyond the condition values
        # demisto.setContext('reportedemailentryid', id)
        return "yes", {"reportedemailentryid": entry_ids}

    return "no", None


def main():
    args = demisto.args()
    result, outputs = identify_attached_mail(args)
    return_outputs(result, outputs, result)


if __name__ in ["__main__", "builtin", "builtins"]:
    main()

README

Identify whether the incident includes an email message attached as an eml or msg file and return the answer to playbook.
Also saves the identified entry ID to context for use for later.
Commonly used in automated playbooks that handle phishing reports sent to a special phishing mailbox set up by the security team.

Script Data


Name Description
Script Type python2
Tags phishing, email, Condition
Cortex XSOAR Version 5.0.0

Used In


This script is used in the following playbooks and scripts.

  • Process Email - Core
  • Process Email - Core v2
  • Process Email - Generic
  • Process Email - Generic v2

Inputs


Argument Name Description
entryid Specific entryid to check if it is an email attachment. If not specified will check all entries of the incident.

Outputs


Path Description Type
yes If incident contains an email attachment. Unknown
no If incident does not contain an email attachment Unknown
reportedemailentryid The entry IDs of the email attachments found. String