Hi Patrick,
Thanks for the reply and perspective.
I agree that consequences could be severe, but also every file that is added to the attachments is (for many) potentially malicious. Malware executables, malicious documents, and emails all go into the attachments. I don't believe email file types should be renamed in attachments (which may not be what you're stating), in general they are probably the safest attachments people are adding. Perhaps the emails could be added as their true .eml to the incident attachments, and as a .txt to the email widget for download (which may be what you were thinking).
My other point was that there may be customers (including us) who have automatic rules that trigger when a .eml file is added to an incident as an attachment for phishing incidents. Having two .eml files (the phish email and the email that had the phish attached to it) would cause issues with this process. This could likely be fixed by modifying the rule and the incident.addEmailAttachment() method in the script to name the phish .eml attachment, this way the automatic rule would only fire on the true phish and not both the report email and phish email. Does that make sense?
------------------------------
Jared Fagel
Cyber Security Analyst Intern
Public Utility
------------------------------
Original Message:
Sent: Fri July 19, 2019 09:46 AM
From: PATRICK DIVILLY
Subject: Microsoft exchange function (fn_exchange) - Attachments tab
Hi Jared,
I do get what you're saying on point one and I agree it's not lightly to happen but the consequences of a mistake if it did happen could be severe. So you've not persuaded me to change the approach there.
On point 2 I didn't follow why the automation would break. Also just to clarify in case it's influencing your thought process I'd see attaching emails to an incident and downloading them from the email tab as two separate pieces of functionality. Ideally you could do both. So to the part that confused me. You can have multiple attachments on an incident. So you can have multiple .eml attachments on one incident. They can be the exact same files or different so I'm not clear what automation would break?
------------------------------
PATRICK DIVILLY
Original Message:
Sent: Wed July 17, 2019 11:04 AM
From: Jared Fagel
Subject: Microsoft exchange function (fn_exchange) - Attachments tab
Thanks Patrick. This is the first time I have heard that, the other techs I have spoken with were unaware of this. I will say that at the least, I feel that should be a setting, and not an enforced file type change. Cyber Security professionals are using Resilient, and if they are opening links and downloading attachments from downloaded malicious email files, I'd think there is a much greater issue that goes beyond Resilient!
☺
Additionally, rather than attaching the email file to the incident, it may be better if it could be downloaded through the email widget instead. Here is the problem with attaching it-- phish reports that have a .eml file attachments get parsed automatically for many. Now, what happens when two .eml files are showing up (unless you truly stick with the .txt attachment, in which case this still seems odd)? -- This would break automation for anyone processing email files automatically.
------------------------------
Jared Fagel
Cyber Security Analyst Intern
Public Utility
Original Message:
Sent: Wed July 17, 2019 04:33 AM
From: PATRICK DIVILLY
Subject: Microsoft exchange function (fn_exchange) - Attachments tab
Hi Jared,
Just a comment on point 1. It was a conscious decision not to download the emails from the inbox with the .eml extension. A lot of systems when you double click a .eml file it will automatically open in the default email client. As these emails can potentially contain malware & other bad links etc we decided to lessen the risk and we download them as a .txt text file. That way they open in a text editor which and you can view the raw contents of the email file. The contents of the file are not changed at all, just the file extension.
We'd be planning the same behavior from the email tab within an incident when we get to it. I don't think we could really be persuaded to change our approach on this. If we implemented your idea linked above I think we would attach it to the incident as a .eml file. Today if an email comes in with a .eml file as an attachment that is what happens in the current solution so there would be no change there.
Regards,
Paddy Divilly
------------------------------
PATRICK DIVILLY
Original Message:
Sent: Tue July 16, 2019 01:20 PM
From: Jared Fagel
Subject: Microsoft exchange function (fn_exchange) - Attachments tab
I have this as a documented idea already. See R-I-451 here.
Two issues are addressed here:
- In the inbox, emails are incorrectly downloaded as a .txt file and not the true .eml file (which is what the .txt file really is).
- After being ingested into an incident, there is no longer access to the source email file.
------------------------------
Jared Fagel
Cyber Security Analyst Intern
Public Utility
Original Message:
Sent: Wed July 10, 2019 05:11 AM
From: MARTIN FEENEY
Subject: Microsoft exchange function (fn_exchange) - Attachments tab
Hi Michael John,
Check out the Ideas portal...
https://success.resilientsystems.com/hc/en-us/categories/360000052165-Ideas-formerly-RFEs-Requests-for-Enhancement-
------------------------------
MARTIN FEENEY
IBM Resilient Product Manager
IBM Security
Galway
Original Message:
Sent: Tue July 09, 2019 09:57 AM
From: Michael John Sheahan
Subject: Microsoft exchange function (fn_exchange) - Attachments tab
Hi Mark/Martin,
Thanks for checking. If we had the ability to access action/workflow status messages and error messages we could:
- Parse server error messages and tracebacks in the action status tab into something that makes more sense to the analyst, + add to the notes tab.
- Use action status messages to start another workflow. For example every time a certain error message occurs, send an email to a distribution list with the error message + incident id.
How do I suggest this as a feature request?
Thanks,
Michael John
------------------------------
Michael John Sheahan
Original Message:
Sent: Tue July 09, 2019 09:21 AM
From: Mark Scherfling
Subject: Microsoft exchange function (fn_exchange) - Attachments tab
Hi Martin,
We don't have a way to access Action status messages at this time. We've had discussions regarding sending messages from a post-processing script to the Action Status, but have not heard about consuming then in a note.
Regards,
------------------------------
Mark Scherfling
Original Message:
Sent: Fri July 05, 2019 08:05 AM
From: Michael John Sheahan
Subject: Microsoft exchange function (fn_exchange) - Attachments tab
Hi Martin,
I've thought about it more and you are correct. I didn't realise that the function was also attaching a base64 text of email attachments to the notes tab. Everything is covered. Adding the eml file would be redundant.
I do have another question however. Is it possible to add status messages from the Action status tab (workflow) to the notes tab of an incident automatically?
Thanks,
------------------------------
Michael John Sheahan
Original Message:
Sent: Thu July 04, 2019 05:04 AM
From: MARTIN FEENEY
Subject: Microsoft exchange function (fn_exchange) - Attachments tab
Hi Michael John,
We've started work on bringing Exchange Web Services support into the in-product email, similar to IMAP that we have today. That will mean these emails will appear on the Incidents Email tab. In this context, if you've been able to parse the important info needed from the email, and have a list of emails on the Incidents, just want to understand the need to access the original .eml as well ?
------------------------------
MARTIN FEENEY
IBM Resilient Product Manager
IBM Security
Galway
Original Message:
Sent: Wed July 03, 2019 06:00 AM
From: Michael John Sheahan
Subject: Microsoft exchange function (fn_exchange) - Attachments tab
Hi Everyone,
The Microsoft Exchange find email function is working fine in our test environment. I can find emails on our exchange server and attach subject/body/sender etc artifacts to incidents.
Is it possible to also attach the full email to the attachments tab of an incident in eml/msg or some other format, using this function?
If not, do you know if there are plans to add this functionality in the future?
Thanks,
Michael John
------------------------------
Michael John Sheahan
------------------------------