IBM Security SOAR

Expand all | Collapse all

Unhandled error in "Generic Email Parsing Script" when "From" has no name field

  • 1.  Unhandled error in "Generic Email Parsing Script" when "From" has no name field

    Posted 12 days ago
    When processing an inbound email with Generic Email Parsing Script (https://exchange.xforce.ibmcloud.com/hub/extension/4ba70106b6f2dfa77cb1e3c921db7ff5), if the email doesn´t have a From name besides the sender email the script crashes with the error:
    11:09:56.956 [Camel (camel-1) thread #525 - JmsConsumer[email-service.save-email-data]] ERROR [] c.c.e.EmailMessageIngesterImpl - Rule 'Inbound email processing' is unable to update the Email Message 'emailmessage-1163' because: AttributeError: Invalid field name: name   line 499, in addBasicInfoToIncident
    com.co3.domain.exceptions.Co3IllegalStateException: Rule 'Inbound email processing' is unable to update the Email Message 'emailmessage-1163' because: AttributeError: Invalid field name: name
    com.ibm.resilient.common.domain.exceptions.Co3IllegalArgumentException: Script execution failed with message 'AttributeError: Invalid field name: name​


    Important: I got this behavior when running the script on Python3 only.

    For instance:
    • If sender has a name, there is no problem:
    ...
    From: John Doe <johndoe@company.com>
    To: IBM Resilient <resilient@company.com>
    Subject: A subject
    ...

    • If sender has no name, it crashes in the function "addBasicInfoToIncident":
    ...
    From: <x1234@company.com>
    Subject: A subject
    To: <resilient@company.com>
    ...


    Apparently, under Python3 it is not enough checking if attribute emailmessage.from.name is not None, in the "addBasicInfoToIncident" function from the email parsing script:
      def addBasicInfoToIncident(self):
        """A method to perform basic information extraction from the email message.
        The email message sender address, including personal name if present, is set as the reporter field
        in the incident. An artifact is created from the email message subject with the type "Email Subject".
        No return value.
        """
        newReporterInfo = emailmessage.from.address
        if emailmessage.from.name is not None:
          newReporterInfo = u"{0} <{1}>".format(emailmessage.from.name, emailmessage.from.address)
          log.info(u"Adding reporter field \"{0}\"".format(newReporterInfo))
          incident.reporter = newReporterInfo
    
          if emailmessage.subject is not None:
            self.addUniqueArtifact(u"{0}".format(emailmessage.subject), "Email Subject", "")​

    As a workaround, I added a try/except block:

     def addBasicInfoToIncident(self):
       
        newReporterInfo = emailmessage.from.address
        try:
          if emailmessage.from.name is not None:
            newReporterInfo = u"{0} <{1}>".format(emailmessage.from.name, emailmessage.from.address)
            log.info(u"Adding reporter field \"{0}\"".format(newReporterInfo))
            incident.reporter = newReporterInfo
      
            if emailmessage.subject is not None:
              self.addUniqueArtifact(u"{0}".format(emailmessage.subject), "Email Subject", "Suspicious email subject")
        except:
          log.error(u"Error getting emailmessage.from.name")
          pass​


    Regards, 
    Guido.














    ------------------------------
    Guido Bernat
    ------------------------------


  • 2.  RE: Unhandled error in "Generic Email Parsing Script" when "From" has no name field

    Posted 9 days ago
    Hi Guido,

    Thank you for posting this issue and workaround. I think what may be useful for your workaround is to use hasattr() https://www.programiz.com/python-programming/methods/built-in/hasattr to check if name exists before trying to access it, that way you wont need to try/except.
    if hasattr(emailmessage.from, 'name'):

    There are also some changes to the 'from' keyword in python 3 in v40 we needed to make in order to avoid a clash with the from keyword in python 3. You can find some details here https://www.ibm.com/docs/en/rsoa-and-rp/40?topic=scripts-python-2-python-3-differences it is being replaced by 'sender'. This will impact you when upgrading to v40.

    I will do some investigation into the issue you see with from.name being empty and see if we can fix that in an upcoming release.

    Thanks again,

    ------------------------------
    Sean Mc Cann
    ------------------------------



  • 3.  RE: Unhandled error in "Generic Email Parsing Script" when "From" has no name field

    Posted 8 days ago
    Hi Sean,
    I will replace try/except with hasttr. I agree it is more intention revealing.

    And thank you for the timely warning about from/sender, we're updating to v40 soon!


    Thanks!



    ------------------------------
    Guido Bernat
    ------------------------------



  • 4.  RE: Unhandled error in "Generic Email Parsing Script" when "From" has no name field

    Posted 8 days ago
    Guido,

    Also forgot to mention, we have a Python 3 version of the built in email script that we have adapted to work in Python 3. It uses 'sender' so maybe you'll adopt this one when moving to v40. You can find it in our resilient scripting github repo along with some other scripting examples. We will be updating this script soon to handle the sender name being missing.

    Thanks,

    ------------------------------
    Sean Mc Cann
    ------------------------------



  • 5.  RE: Unhandled error in "Generic Email Parsing Script" when "From" has no name field

    Posted 8 days ago
    Thank you for your post and workaround. We've queued up work to resolve this situation in the next release.

    ------------------------------
    Mark Scherfling
    ------------------------------



  • 6.  RE: Unhandled error in "Generic Email Parsing Script" when "From" has no name field

    Posted 7 days ago
    Thank you both for your quick and helpful responses!

    Best regards,

    ------------------------------
    Guido Bernat
    ------------------------------