IBM Security SOAR

Expand all | Collapse all

Using EmailMessage object

  • 1.  Using EmailMessage object

    Posted 21 days ago

    Is it possible to attach the actual email to an incident using the EmailMessage object?
    For example, our SOAR is monitoring phish@xyz.com and an email is received.
    The script (as I found in the ibmresilient resilient-scripts github) will run and create the incident. 

    I would like for the actual email itself to be added to the created incident as an attachment.
    Is this possible?



    ------------------------------
    Tim Gray
    ------------------------------


  • 2.  RE: Using EmailMessage object

    Posted 21 days ago
    Edited by Elizabeth Hecht 21 days ago
    Hi Tim,
    Thank you for using the Community. The default out of the box email parsing script adds the email message(s) directly to the incident using the following syntax:
    • Associates the email message with the new incident.
      emailmessage.associateWithIncident(incidents[0])

    More information about the process is available here:
    https://www.ibm.com/docs/en/rsoa-and-rp/37?topic=scripts-associating-email-messages-incidents
    You simply need to add the email widget in order to see the email messages which have been associated with the incident:
    https://www.ibm.com/docs/en/rsoa-and-rp/37?topic=email-lesson-5-adding-tab-layouts



    ------------------------------
    Elizabeth Hecht
    ------------------------------



  • 3.  RE: Using EmailMessage object

    Posted 12 days ago
    I am wondering if this is not possible in Rest API using the Rest point docs/rest-api/ui/index.html#/EmailREST ?

    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------



  • 4.  RE: Using EmailMessage object

    Posted 20 days ago
    Thank you Elizabeth.
    Is there a way for the email widget to allow the user to view the email itself or possibly download it?
    Just being able to see the email sender, subject, ... doesn't seem overly helpful to an analyst when researching phishing incidents.

    ------------------------------
    Tim Gray
    ------------------------------



  • 5.  RE: Using EmailMessage object

    Posted 20 days ago
    Hello
    Once an incident is created from inbound email, the mail messages can be downloaded from E-mail tab. (apologies to the image in Japanese)


    ------------------------------
    Yohji Amano
    ------------------------------



  • 6.  RE: Using EmailMessage object

    Posted 19 days ago
    I see now. I didn't have the permissions set for the user to download the emails.
    Thanks!
    I do wish it would download as an email file (eml or msg) rather than just a txt file, but I can live with this.

    ------------------------------
    Tim Gray
    ------------------------------



  • 7.  RE: Using EmailMessage object

    Posted 13 days ago
    This took me longer to realize than I wish to admit, but even though it's a .txt when downloaded, it's really an email file (.eml).

    This was brought to the SOAR team a couple years ago as part of the idea to have emails be attached to incidents, but they chose not to deliver the .eml download portion because of concern regarding content (opening phishing emails). I thought this was a funny stance with the primary SOAR user base being security analysts. I would upvote another idea to have this re-looked at. Ref: https://2e4ccba981d63ef83a875dad7396c9a0.ideas.aha.io/ideas/R-I-451

    Does your phish reporting method not attach the raw phishing email to reports so you can see headers and such? I believe this is how most of us have it happening (email comes into the mailbox that has the phish attached as a .eml file, the .eml is added as an incident attachment, parsed, etc.).

    ------------------------------
    Jared Fagel
    Cyber Security Analyst
    ALLETE Inc.
    ------------------------------