Good Morning People
I need help in Email Parsing Script as I am trying to get ProofPoint URL defense Alert integrated with Resilient so we can get these incidents directly into Resilient. Before adding ProofPoint in the script, we integrated two (2) systems with Resilient and it was working, We integrated ServiceDesk & RSAM, I am trying to add third application using the Email Parser.
Here is the script in which I need help with, I took out company information for security reasons.
<?xml version="1.0" encoding="UTF-8"?>
<!-- A description of the data types can be found in the REST API documentation.
The <Query> script can access a SimpleEmailDTO that includes data from the
received email. All other elements can access SimpleEmailDTO as well a
FullIncidentDataDTO, where the incident can be an existing one if the query
was successful, or a new one created from JSON template if it is available. -->
<MailParser xmlns="http://www.resilientsystems.com/MailParser">
<!-- Expected return type is List<ConditionDTO> which can contain multiple
conditions to query an incident. Applicable methods for conditions can be
found /ns0_methodName.html -->
<Query>
<![CDATA[
if (mail.subject.toString().indexOf("RSAM Privacy Notification") > -1) {
null;
else (mail.subject.toString().indexOf("URL Defense Alert") > -1) {
null;
}
else if {
var logger = org.slf4j.LoggerFactory.getLogger('Query');
logger.info("\n---STARTING QUERY SECTION in MailParser.xml ");
body = mail.bodyHtml;
logger.info("After Q");
logger.info(body);
conn = body.match("Incident(.*)\"")[1].split("\"")[0];
logger.info(conn);
try {
//check if an incident exists with the same Connectit number
if (conn != null) {
logger.info("query if");
[{
"method": "contains",
"field_name": "properties.connectit",
"value": conn
}];
}
else {
null;
}
}
catch(err) {
// log the error
logger.error("\n#### THIS EMAIL FAILED TO PARSE PROPERLY DURING QUERY SECTION ####\n\n"
}
}
]]>
</Query>
<!-- The script element can be used to place code -->
<Script>
<![CDATA[
var logger = org.slf4j.LoggerFactory.getLogger('Query');
logger.info("Script Start")
logger.info(incident.id)
logger.info(mail.from.toString().slice(1,-1));
if(mail.from.toString().slice(1,-1) == "XYZ@texashealth.org"){
logger.info("Email script");
if(incident.id == null){
logger.info("Create incident if");
logger.info(conn);
incident.properties.connectit_one = conn;
incident.name = mail.subject;
body = mail.bodyHtml;
incident.description = body;
incident.reporter = mail.from.toString().slice(1,-1);
incident.properties.incident_area = ["Security"];
incident.properties.thr_entity = "XYZ";
}else{
incident.properties.connectit_update = incident.properties.connectit_update + 1;
body = mail.bodyText;
incident.description = body.replace('*','');
}
}
else if {
if (mail.subject.toString().indexOf("RSAM") > -1)
incident.properties.incident_area = ["Security"];
incident.name = mail.subject;
incident.description = mail.bodyText;
incident.reporter = mail.from.toString().slice(1,-1);
incident.properties.thr_entity =["xyz"];
}
else {
if (mail.subject.toString().indexOf("URL Defense Alert") > -1)
incident.properties.incient_area = ["Security"];
incident.properties.incident_category = ["Phishing"];
incident.name = mail.subject;
incident.name = mail.subject;
incident.description = mail.bodyText;
incident.properties.thr_entity =["xyz"];
}
}
]]>
</Script>
<PostScript>
<![CDATA[
]]>
</PostScript>
</MailParser>
------------------------------
Fawad Majid
------------------------------