IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

Email Parsing Script Modification - Email Sender and Recipient address addition as Artifact

  • 1.  Email Parsing Script Modification - Email Sender and Recipient address addition as Artifact

    Posted Wed November 24, 2021 01:30 AM
    Team,

    We have use the generic email parsing script available when we deploy the IBM Cloud Pak for Security on-premises v1.7.2. under the customization, script, we modify the script to add the required artifacts such as 

    Email Sender
    Email Receipint

    However when we try to modify the script, it only shows email sender or email recipient but we require both artifacts to be gathered when the email send to monitored mailbox

    Moreover, we have tried sending the email by forwarding the suspicious email to monitored mailbox and by attaching the original email. The script is only able to extract the URL, IP address and hashes find from that email but we were unable to extract the recipient and suspicious sender who send this email to end user.

    if we attach the original email, the script wont parse the values and add those as artifact to that particular case as an attachment. We need to know what is the best possible way to send the email to monitored mailbox so that we can validate it by replicating the same step which is recommended for parsing script

    Moreover, if someone can tell that the script will be updated in next release of CP4S please do let us know.

    I have attached both the script which we have used during the testing and deployment phase.


    ------------------------------
    Usman Ahmed
    ------------------------------

    Attachment(s)

    txt
    Tariq Script.txt   28 KB 1 version


  • 2.  RE: Email Parsing Script Modification - Email Sender and Recipient address addition as Artifact

    Posted Thu December 16, 2021 07:10 AM

    Hello!

      I note that in the "Tariq Script.txt" the problem is on line 534:

    newReporterInfo = "{0} <{1}> <{2}>".format(emailmessage.from.name, emailmessage.from.address, emailmessage.to.address)
    should be
    newReporterInfo = "{0} <{1}> <{2}>".format(emailmessage.from.name, emailmessage.from.address, emailmessage.to[0].address)

    This is because emailaddress.to is a list of recipient objects.
    Does this help?
    -P.J.



    ------------------------------
    Patrick (PJ) McKenna
    Resilient Development
    ------------------------------