This took me longer to realize than I wish to admit, but even though it's a .txt when downloaded, it's really an email file (.eml).
This was brought to the SOAR team a couple years ago as part of the idea to have emails be attached to incidents, but they chose not to deliver the .eml download portion because of concern regarding content (opening phishing emails). I thought this was a funny stance with the primary SOAR user base being security analysts. I would upvote another idea to have this re-looked at. Ref:
https://2e4ccba981d63ef83a875dad7396c9a0.ideas.aha.io/ideas/R-I-451Does your phish reporting method not attach the raw phishing email to reports so you can see headers and such? I believe this is how most of us have it happening (email comes into the mailbox that has the phish attached as a .eml file, the .eml is added as an incident attachment, parsed, etc.).
------------------------------
Jared Fagel
Cyber Security Analyst
ALLETE Inc.
------------------------------
Original Message:
Sent: Wed October 06, 2021 11:46 AM
From: Tim Gray
Subject: Using EmailMessage object
I see now. I didn't have the permissions set for the user to download the emails.
Thanks!
I do wish it would download as an email file (eml or msg) rather than just a txt file, but I can live with this.
------------------------------
Tim Gray
Original Message:
Sent: Wed October 06, 2021 03:26 AM
From: Yohji Amano
Subject: Using EmailMessage object
Hello
Once an incident is created from inbound email, the mail messages can be downloaded from E-mail tab. (apologies to the image in Japanese)
------------------------------
Yohji Amano
Original Message:
Sent: Tue October 05, 2021 12:42 PM
From: Tim Gray
Subject: Using EmailMessage object
Thank you Elizabeth.
Is there a way for the email widget to allow the user to view the email itself or possibly download it?
Just being able to see the email sender, subject, ... doesn't seem overly helpful to an analyst when researching phishing incidents.
------------------------------
Tim Gray
Original Message:
Sent: Tue October 05, 2021 09:29 AM
From: Elizabeth Hecht
Subject: Using EmailMessage object
Hi Tim,
Thank you for using the Community. The default out of the box email parsing script adds the email message(s) directly to the incident using the following syntax:
- Associates the email message with the new incident.
emailmessage.associateWithIncident(incidents[0])
More information about the process is available here:
https://www.ibm.com/docs/en/rsoa-and-rp/37?topic=scripts-associating-email-messages-incidents
You simply need to add the email widget in order to see the email messages which have been associated with the incident:
https://www.ibm.com/docs/en/rsoa-and-rp/37?topic=email-lesson-5-adding-tab-layouts
------------------------------
Elizabeth Hecht
------------------------------