Hi everyone,

I was just curious if it's possible to parse email header data from an email attachment without sending the email to the integration server.  I wrote this quick script to parse the x-sender which works outside resilient, but when trying to run from the scripts tab under customization settings I'm running into issues (wrong object/variable being opened?):

import re
with open(attachment,'r') as f:
email = f.read()
if 'x-sender' in email:
pattern = re.compile('(?<=x-sender=")[^"]+')
result = pattern.search(email,0,5000)
log.info(result.group(0))

Console error output attached.

Thanks!

------------------------------
Jason Jemmott
Cyber Security Analyst
------------------------------

Are you trying to create a Script for an Attachment Object? If so, I don't think there is access to the attachment content from within an inline script:

Ben

------------------------------
Ben Lurie
------------------------------

Original Message:
Sent: Wed September 02, 2020 12:37 PM
From: Jason Jemmott
Subject: Parsing email headers with script only

Hi everyone,

I was just curious if it's possible to parse email header data from an email attachment without sending the email to the integration server.  I wrote this quick script to parse the x-sender which works outside resilient, but when trying to run from the scripts tab under customization settings I'm running into issues (wrong object/variable being opened?):

import re
with open(attachment,'r') as f:
email = f.read()
if 'x-sender' in email:
pattern = re.compile('(?<=x-sender=")[^"]+')
result = pattern.search(email,0,5000)
log.info(result.group(0))

Console error output attached.

Thanks!

------------------------------
Jason Jemmott
Cyber Security Analyst
------------------------------

Hi Ben,

That's exactly what I was attempting to do - is there a recommended course/resource I can reference to better understand the capabilities of inline scripting?

------------------------------
Jason Jemmott
Cyber Security Analyst
------------------------------

Original Message:
Sent: Thu September 03, 2020 08:00 AM
From: Ben Lurie
Subject: Parsing email headers with script only

Are you trying to create a Script for an Attachment Object? If so, I don't think there is access to the attachment content from within an inline script:

Ben

------------------------------
Ben Lurie

Original Message:
Sent: Wed September 02, 2020 12:37 PM
From: Jason Jemmott
Subject: Parsing email headers with script only

Hi everyone,

I was just curious if it's possible to parse email header data from an email attachment without sending the email to the integration server.  I wrote this quick script to parse the x-sender which works outside resilient, but when trying to run from the scripts tab under customization settings I'm running into issues (wrong object/variable being opened?):

import re
with open(attachment,'r') as f:
email = f.read()
if 'x-sender' in email:
pattern = re.compile('(?<=x-sender=")[^"]+')
result = pattern.search(email,0,5000)
log.info(result.group(0))

Console error output attached.

Thanks!

------------------------------
Jason Jemmott
Cyber Security Analyst
------------------------------

So while working on this parser I started reviewing the app logs for mailparser and noticed that it does in fact parse out the 'received-spf' header which is where the x-sender field resides, but I'm not seeing the data being sent over to resilient in any of our existing artifacts. Do I need to create a specific artifact name/type in order for mailparser to send over the entire received-spf header, or has anyone else already managed to successfully parse out the x-sender from mail headers?

------------------------------
Jason Jemmott
Cyber Security Analyst
------------------------------

Original Message:
Sent: Thu September 03, 2020 08:00 AM
From: Ben Lurie
Subject: Parsing email headers with script only

Are you trying to create a Script for an Attachment Object? If so, I don't think there is access to the attachment content from within an inline script:

Ben

------------------------------
Ben Lurie

Original Message:
Sent: Wed September 02, 2020 12:37 PM
From: Jason Jemmott
Subject: Parsing email headers with script only

Hi everyone,

I was just curious if it's possible to parse email header data from an email attachment without sending the email to the integration server.  I wrote this quick script to parse the x-sender which works outside resilient, but when trying to run from the scripts tab under customization settings I'm running into issues (wrong object/variable being opened?):

import re
with open(attachment,'r') as f:
email = f.read()
if 'x-sender' in email:
pattern = re.compile('(?<=x-sender=")[^"]+')
result = pattern.search(email,0,5000)
log.info(result.group(0))

Console error output attached.

Thanks!

------------------------------
Jason Jemmott
Cyber Security Analyst
------------------------------

Hi Jason

The current scripting engine does not allow for working with file-like objects....you cannot call "open" from a script.

When the python 3 engine is introduced, this usecase (parsing email headers) will be supported through the email module in python 3.

AnnMarie

------------------------------
AnnMarie Norcross
------------------------------

Original Message:
Sent: Wed September 02, 2020 12:37 PM
From: Jason Jemmott
Subject: Parsing email headers with script only

Hi everyone,

I was just curious if it's possible to parse email header data from an email attachment without sending the email to the integration server.  I wrote this quick script to parse the x-sender which works outside resilient, but when trying to run from the scripts tab under customization settings I'm running into issues (wrong object/variable being opened?):

import re
with open(attachment,'r') as f:
email = f.read()
if 'x-sender' in email:
pattern = re.compile('(?<=x-sender=")[^"]+')
result = pattern.search(email,0,5000)
log.info(result.group(0))

Console error output attached.

Thanks!

------------------------------
Jason Jemmott
Cyber Security Analyst
------------------------------

Hi AnnMarie,

Thank you for the explanation on where the capability gap resides, much appreciated! Is there a planned version update that we can expect python 3 support?

------------------------------
Jason Jemmott
Cyber Security Analyst
------------------------------

Original Message:
Sent: Thu September 03, 2020 09:14 AM
From: AnnMarie Norcross
Subject: Parsing email headers with script only

Hi Jason

The current scripting engine does not allow for working with file-like objects....you cannot call "open" from a script.

When the python 3 engine is introduced, this usecase (parsing email headers) will be supported through the email module in python 3.

AnnMarie

------------------------------
AnnMarie Norcross

Original Message:
Sent: Wed September 02, 2020 12:37 PM
From: Jason Jemmott
Subject: Parsing email headers with script only

Hi everyone,

I was just curious if it's possible to parse email header data from an email attachment without sending the email to the integration server.  I wrote this quick script to parse the x-sender which works outside resilient, but when trying to run from the scripts tab under customization settings I'm running into issues (wrong object/variable being opened?):

import re
with open(attachment,'r') as f:
email = f.read()
if 'x-sender' in email:
pattern = re.compile('(?<=x-sender=")[^"]+')
result = pattern.search(email,0,5000)
log.info(result.group(0))

Console error output attached.

Thanks!

------------------------------
Jason Jemmott
Cyber Security Analyst
------------------------------

Hi @Jason Jemmott,

I don't know if there is a planned version for it, but I can tell you that it's in beta testing for some customers for sure, so I'd imagine it's not far away!

Best,
Jared​

------------------------------
Jared Fagel
Cyber Security Analyst I
Public Utility
------------------------------

Original Message:
Sent: Thu September 03, 2020 11:59 AM
From: Jason Jemmott
Subject: Parsing email headers with script only

Hi AnnMarie,

Thank you for the explanation on where the capability gap resides, much appreciated! Is there a planned version update that we can expect python 3 support?

------------------------------
Jason Jemmott
Cyber Security Analyst

Original Message:
Sent: Thu September 03, 2020 09:14 AM
From: AnnMarie Norcross
Subject: Parsing email headers with script only

Hi Jason

The current scripting engine does not allow for working with file-like objects....you cannot call "open" from a script.

When the python 3 engine is introduced, this usecase (parsing email headers) will be supported through the email module in python 3.

AnnMarie

------------------------------
AnnMarie Norcross

Original Message:
Sent: Wed September 02, 2020 12:37 PM
From: Jason Jemmott
Subject: Parsing email headers with script only

Hi everyone,

I was just curious if it's possible to parse email header data from an email attachment without sending the email to the integration server.  I wrote this quick script to parse the x-sender which works outside resilient, but when trying to run from the scripts tab under customization settings I'm running into issues (wrong object/variable being opened?):

import re
with open(attachment,'r') as f:
email = f.read()
if 'x-sender' in email:
pattern = re.compile('(?<=x-sender=")[^"]+')
result = pattern.search(email,0,5000)
log.info(result.group(0))

Console error output attached.

Thanks!

------------------------------
Jason Jemmott
Cyber Security Analyst
------------------------------