IBM Security SOAR

Email Parsing Script Modification - Email Sender and Recipient address addition as Artifact

  • 1.  Email Parsing Script Modification - Email Sender and Recipient address addition as Artifact

    IBM Select
    Posted 10 days ago
    Team,

    We have use the generic email parsing script available when we deploy the IBM Cloud Pak for Security on-premises v1.7.2. under the customization, script, we modify the script to add the required artifacts such as 

    Email Sender
    Email Receipint

    However when we try to modify the script, it only shows email sender or email recipient but we require both artifacts to be gathered when the email send to monitored mailbox

    Moreover, we have tried sending the email by forwarding the suspicious email to monitored mailbox and by attaching the original email. The script is only able to extract the URL, IP address and hashes find from that email but we were unable to extract the recipient and suspicious sender who send this email to end user.

    if we attach the original email, the script wont parse the values and add those as artifact to that particular case as an attachment. We need to know what is the best possible way to send the email to monitored mailbox so that we can validate it by replicating the same step which is recommended for parsing script

    Moreover, if someone can tell that the script will be updated in next release of CP4S please do let us know.

    I have attached both the script which we have used during the testing and deployment phase.


    ------------------------------
    Usman Ahmed
    ------------------------------

    Attachment(s)

    txt
    Tariq Script.txt   28 KB 1 version