I have a playbook that parses emails that are attached to an incident. The code is from Parse Utilities Function for SOAR app. The issue I'm having with this is that all attachments from the email are added as an artifact, meaning I can't download it or run any playbooks meant for email attachments. I have to download the email then manually get all the attachments and upload them to SOAR.

Is there any way to convert an artifact of type "email attachment" to attachment? Alternatively, maybe someone has a code that would extract the attachments and add them as attachments instead of artifacts?

I tried using the code for adding an attachment from Email parsing script for incoming emails, but it doesn't work as I'm parsing an attachment not an "Email Message"

Hi Maria

Will reach out to the team for advice

Regards

John

Hi Maria,

Unfortunately, there isn't a way to create an attachment within an email parsing script. That would be the most straightforward approach if it existed.

It should be possible to develop a new function in the SOAR Utilities app to read the contents of an artifact and, with the existing string_to_attachment function, place those contents into an attachment. Then, a playbook can be written to trigger when an artifact of type Email Attachment is created to move that content into an attachment. 

I will add that development to our request for enhancements.

Dear Mark Scherfling we are facing the same issue, where we get artifact from email parser , as email attachment but we are unable to send the same to sandbox file analysis, its says no content. Please tell us the way either to save artifact as proper files in artifacts from email .

or we call a function to save them as attachments. if the artifact files are uploaded manually as email attachment i am able to sandbox them, but with the email parser, as artifact i am unable to send the file to sandbox, question2: how to save file contents in artifacts from email parser function