IBM Security QRadar SOAR

Our organization uses a script to automatically parse inbound emails into their associated tickets as notes. This can become problematic when an email comes in that has a large number of replies - the large email is added in it's entirety to the notes section, and over time these compound and inflate the ticket notes with lots of extraneous information.

My goal is to truncate everything but the "newest" part of an email when it is parsed into a note. My problem is determining where the most recent reply to an email chain ends, and the rest begins. In plaintext, I believe it's quite simple - look for lines beginning with '>'. In HTML, however, I feel like I'm sifting though a sea of div tags.

Does anyone have any experience with this?

Hello, is any IBM product involved here or is this a general question?

Apologies - the product in use here is Resilient.

Good question. Any approaches to achieve this?

Regards,

Ralph

The separator for outlook is usually <div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'> if that may be of help to you. Just be aware that, depending on your locale and the way that the HTML is parsed, the spacing may be different and "in" used instead of "cm".

The easiest way to work out what the separator is might be to send yourself an arbitrary email with just a couple of words in it and reply to it. Save it as HTML and examine it for the separator to reduce the number of lines you need to go through