ParseEmailFiles

Parses an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the War Room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook.

Script Data


NameDescription
Script Typepython2
Tagsemail, phishing, enhancement, file

Inputs


Argument NameDescription
entryidThe entry ID with the email as a file in "msg" or "eml" format.
parse_only_headersWill parse only the headers and return headers table.
max_depthHow many levels deep we should parse the attached emails. For example, an email contains an emails contains an email. The default depth level is 3. Minimum level is 1, if set to 1 the script will parse only the first level email

Outputs


PathDescriptionType
Email.ToTo whom the message was addressed, but may not contain the recipient's address.string
Email.CCThe email's 'cc' addresses.string
Email.FromThis displays who the message is from. However, this can be easily forged and can be the least reliable.string
Email.SubjectThe email's subject.string
Email.HTMLThe email's "html" body, if it exists.string
Email.TextThe email's "text" body, if it exists.string
Email.DepthThe depth of the email. For the first level email Depth=0. If email1 contains email2 contains email3. Then email1's depth is 0, email2's depth is 1, email3's depth is 2.number
Email.HeadersDeprecated - Use Email.HeadersMap output instead. The full email headers as a single string.string
Email.HeadersMapThe full email headers in json.Unknown
Email.HeadersMap.FromThis displays who the message is from. However, this can be easily forged and can be the least reliable.Unknown
Email.HeadersMap.ToThis shows to whom the message was addressed, but may not contain the recipient's address.Unknown
Email.HeadersMap.SubjectThe email's subject.String
Email.HeadersMap.DateThe date and time the email message was composed.Unknown
Email.HeadersMap.CCThe email's 'cc' addresses.Unknown
Email.HeadersMap.Reply-ToThe email's address for return mail.String
Email.HeadersMap.ReceivedA list of all the servers/computers through which the message traveled.String
Email.HeadersMap.Message-IDA unique string assigned by the mail system when the message is first created. These can easily be forged. For example, 5c530c1b.1c69fb81.bd826.0eff@mx.google.comString
Email.AttachmentNamesThe list of attachment names in the email.string
Email.FormatThe format of the email if available.string