IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

Email Parsing Script - Add Email as Attachment

  • 1.  Email Parsing Script - Add Email as Attachment

    Posted Thu April 11, 2019 10:45 PM
    Hi, 

    We are on v32 in Resilient and using the email connector for inbound emails.

    Currently the scripts are working to parse out artifacts and attachments as expected. We would like to additionally add the email itself as an attachment. Is there a way to do this from the script itself? 

    Thanks!

    ------------------------------
    Adina
    ------------------------------


  • 2.  RE: Email Parsing Script - Add Email as Attachment

    Posted Fri April 12, 2019 07:48 AM
    Hi Adina,
               Unfortunately this functionality is not currently available but this is the second time it's been asked for on this forum so it is clearly something that would be useful to customers. So we will look into it.

    Regards

    Paddy Divilly

    ------------------------------
    PATRICK DIVILLY
    ------------------------------



  • 3.  RE: Email Parsing Script - Add Email as Attachment

    Posted Thu March 26, 2020 04:14 PM
    Hi everybody,

    We face the same issue at the moment. As this post is nearly a year old I'd like to ask what is the status here?

    Best,
    Achim

    ------------------------------
    Achim Quehenberger
    ------------------------------



  • 4.  RE: Email Parsing Script - Add Email as Attachment

    Posted Mon March 30, 2020 04:46 AM
    Hi Achim,

    We have added the ability to download the email attachment from the incident in V35.2. Depending on your use case this may be of assistance ?

    ------------------------------
    MARTIN FEENEY
    IBM Resilient Product Manager
    IBM Security
    Galway
    ------------------------------



  • 5.  RE: Email Parsing Script - Add Email as Attachment

    Posted Mon March 30, 2020 09:29 AM
    Hi Martin, 

    We are now currently in v36 so would have this ability. Are you saying that if someone sends an email to Resilient you can attach the original email as an attachment and download it? Or is this in the inbox the original email can be downloaded? 

    Because we are still very interested in being able to attach the original email to the ticket itself. 

    Thanks, 
    Adina

    ------------------------------
    Adina Bodkins
    ------------------------------



  • 6.  RE: Email Parsing Script - Add Email as Attachment

    Posted Mon March 30, 2020 01:16 PM
    Hi Adina,

    If the emails are processed by the in product email connector and the script you use with that, they will appear in the email tab on the incident they are associated with. On this tab you can download the email via the action menu on each email row. You'll need download emails permission assigned in the roles section.

    These emails are attached to the incident, just not using the "attachments" tab, instead using the email tab. This is to align with our future plans to have a real inbound/outbound email view on an incident.

    ------------------------------
    MARTIN FEENEY
    IBM Resilient Product Manager
    IBM Security
    Galway
    ------------------------------



  • 7.  RE: Email Parsing Script - Add Email as Attachment

    Posted Wed April 01, 2020 03:17 AM
    Hi Martin,

    so we are on v35.2 and we use the example parsing script but I can't see any email tab.
    Is this tab only visible with the mentioned permissions?

    Thanks,
    Achim

    ------------------------------
    Achim Quehenberger
    ------------------------------



  • 8.  RE: Email Parsing Script - Add Email as Attachment

    Posted Wed April 01, 2020 05:57 AM
    Hello Achim,

    If your organization had been created before v32, you need to add the Email tab manually. You can follow the steps below link.
    https://www.ibm.com/support/knowledgecenter/SSBRUQ_36.0.0/doc/tutorials/email/emailscriptlesson5.html

    Best regards,
    Can Kutu

    ------------------------------
    Can Kutu
    ------------------------------



  • 9.  RE: Email Parsing Script - Add Email as Attachment

    Posted Wed April 01, 2020 09:21 AM
    Hello Can Kutu,

    thank you, that worked.
    Unfortunately I have the next issue. The action menu contains no available actions. So in this Email Tab I only see the line with the subject, sender, aso. but can't access the original email.

    Also I have noticed... all those emails are not shown in the main menu inbox  tab after an incident was created.

    Best,
    Achim

    ------------------------------
    Achim Quehenberger
    ------------------------------



  • 10.  RE: Email Parsing Script - Add Email as Attachment

    Posted Wed April 01, 2020 11:24 AM
    Hi Achim,

    The email download action menu requires that permission to download I mentioned earlier.

    The global inbox only contains emails that have not been successfully attached to an incident. thats why emails in the Incident inbox won't appear there. You should toubleshoot your email processing logic to understand why these emails were not acctached to incidents.

    ------------------------------
    MARTIN FEENEY
    IBM Resilient Product Manager
    IBM Security
    Galway
    ------------------------------



  • 11.  RE: Email Parsing Script - Add Email as Attachment

    Posted Thu April 02, 2020 04:49 AM
    Hi Martin,

    Regarding the email download permissions. Are these some extra permission settings anywere? Because actually I have admin rights so I should have those rights, right?

    Regarding the emails in the inbox. Ah ok, I already noticed that those Emails stay there when the script has errors in it. But I was surprised that they were gone when it worked.

    ------------------------------
    Achim Quehenberger
    ------------------------------



  • 12.  RE: Email Parsing Script - Add Email as Attachment

    Posted Thu April 02, 2020 05:18 AM
    Hi Achim,

    Just being admin doesn't automatically convey all permissions, they still have to be assigned, but being admin you should most likely have the rights to assign them to yourself.

    Are you the incident owner or a member of the incident in question ?

    Have you the "download emails" permission, situated under View Incident ?


    ------------------------------
    MARTIN FEENEY
    IBM Resilient Product Manager
    IBM Security
    Galway
    ------------------------------



  • 13.  RE: Email Parsing Script - Add Email as Attachment

    Posted Thu April 02, 2020 05:37 AM
    I think I found the issue.
    Our Resilient organization is managed by our parent company. 
    I have admin rights but the "Roles Tab" is missing so I guess these permissons must be granted by them.

    Thanks!

    PS: I am the owner of the incident

    ------------------------------
    Achim Quehenberger
    ------------------------------