IBM Security QRadar SOAR

 View Only

  • 1.  Phishing Email Parsing script

    Posted Mon November 29, 2021 11:48 PM

    Hi All,
          I run default email parsing script in SOAR which parse following artifects 

    Email Recipient ( who sent email to SOAR)
    URLs (If include in email body)
    IP addresses (If include in email body)
    File hashes (If include in email body)

    But, It is not able to parse sender information i.e, Sender email address (outsider), Reciever email address (who recieved email in environemnt), Sender IP address and more information in email header. Can anyone please help me to built a function that will parse Email header 


    I have tried following procedure to send email to SOAR:

    1. I have forward phishing email to SOAR which shows me following information:
            Email Recipient (Who sent email to SOAR)
            URLs (If include in email body)
            IP addresses (If include in email body)
            File hashes  (If include in email body)

    2. I have send email as attachment which shows me following information
            Email Recipient (Who sent email to SOAR)
            Email in attachment tab



    ------------------------------
    Hafiz Tabish Imran Bilgrami
    ------------------------------


  • 2.  RE: Phishing Email Parsing script

    Posted Tue November 30, 2021 06:36 AM
    Hi
     
    You may find this useful
     
     
    []
    Leonardo Kenji Shikida
    Security Delivery Specialist
     
    Phone: 55 31 99994 0875





    Original Message


  • 3.  RE: Phishing Email Parsing script

    Posted Mon December 06, 2021 08:03 AM

    Hi!
    Have you made any progress? Have you seen this document ?

    In emailmessage-type Python 2 scripts, the sender and receiver email address should be accessible using emailmessage.from and emailmessage.to respectively. Both of these objects should contain a name and an address field.

    Headers are accessed as a map from emailmessage.headers

    In order to see what the data in those fields are for your emails, I suggest running this Python 2 script against an email interactively

    log.info("headers")
    log.info(emailmessage.headers)

    log.info("from " + str(emailmessage.from))

    log.info("to " + str(emailmessage.to))



    ------------------------------
    Patrick (PJ) McKenna
    Resilient Development
    ------------------------------

    Original Message