No, I mean the results of the function "Parse Utilities: Email Parse". If you have the code you shared, that means you have the parse utilities app and the playbook.
I don't know what's the output name in your case, for me its email_parse so in the script Email Parsing (Attachment) I'd add
incident.addNote(str(playbook.functions.results.email_parse)
------------------------------
Maria Czapkowska
------------------------------
Original Message:
Sent: Fri June 07, 2024 11:56 AM
From: ken ching
Subject: Parse Utilities Function for SOAR - Get Complete Header from .EML
Thanks for the response Maria.
By "all results" do you mean this?:
incident.addNote(str(email.get("received", [])))
------------------------------
ken ching
Original Message:
Sent: Fri June 07, 2024 01:46 AM
From: Maria Czapkowska
Subject: Parse Utilities Function for SOAR - Get Complete Header from .EML
If you add a note to the incident with all the results of "Parse Utilities: Email Parse" all the headers will be there.
------------------------------
Maria Czapkowska
Original Message:
Sent: Thu June 06, 2024 06:18 PM
From: ken ching
Subject: Parse Utilities Function for SOAR - Get Complete Header from .EML
Is it possible to pull the header from a .EML attachment using this app? An example playbook bundled with the App provides a way (snippit below) to grab IPs from the header but not the complete header.
Thank you Community!
Ken
################################################
# Add Artifacts for IPs found in Email Headers #
################################################
for eml_header in email.get("received", []):
the_header = eml_header.get("from", None)
if the_header:
ips = re.findall('(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)', the_header)
unique_ips = set(ips)
for an_ip in unique_ips:
if an_ip:
incident.addArtifact("IP Address", an_ip, u"Hop {0} at {1}\n\nHeader: {2}".format(eml_header.get("hop", ""), eml_header.get("date_utc", ""), the_header))
------------------------------
ken ching
------------------------------