IBM Security QRadar SOAR

Is it possible to pull the header from a .EML attachment using this app? An example playbook bundled with the App provides a way (snippit below) to grab IPs from the header but not the complete header.

Thank you Community!

Ken

################################################
  # Add Artifacts for IPs found in Email Headers #
  ################################################
  for eml_header in email.get("received", []):
    
    the_header = eml_header.get("from", None)
    
    if the_header:
      ips = re.findall('(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)', the_header)
      unique_ips = set(ips)
  
      for an_ip in unique_ips:
        if an_ip:
          incident.addArtifact("IP Address", an_ip, u"Hop {0} at {1}\n\nHeader: {2}".format(eml_header.get("hop", ""), eml_header.get("date_utc", ""), the_header))
          

If you add a note to the incident with all the results of "Parse Utilities: Email Parse" all the headers will be there.

Is it possible to pull the header from a .EML attachment using this app? An example playbook bundled with the App provides a way (snippit below) to grab IPs from the header but not the complete header.

Thank you Community!

Ken

################################################
  # Add Artifacts for IPs found in Email Headers #
  ################################################
  for eml_header in email.get("received", []):
    
    the_header = eml_header.get("from", None)
    
    if the_header:
      ips = re.findall('(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)', the_header)
      unique_ips = set(ips)
  
      for an_ip in unique_ips:
        if an_ip:
          incident.addArtifact("IP Address", an_ip, u"Hop {0} at {1}\n\nHeader: {2}".format(eml_header.get("hop", ""), eml_header.get("date_utc", ""), the_header))
          

Thanks for the response Maria.

By "all results" do you mean this?:

If you add a note to the incident with all the results of "Parse Utilities: Email Parse" all the headers will be there.

Is it possible to pull the header from a .EML attachment using this app? An example playbook bundled with the App provides a way (snippit below) to grab IPs from the header but not the complete header.

Thank you Community!

Ken

################################################
  # Add Artifacts for IPs found in Email Headers #
  ################################################
  for eml_header in email.get("received", []):
    
    the_header = eml_header.get("from", None)
    
    if the_header:
      ips = re.findall('(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)', the_header)
      unique_ips = set(ips)
  
      for an_ip in unique_ips:
        if an_ip:
          incident.addArtifact("IP Address", an_ip, u"Hop {0} at {1}\n\nHeader: {2}".format(eml_header.get("hop", ""), eml_header.get("date_utc", ""), the_header))