IBM Support

Example scripts for email in v32+

How To


Summary

Example scripts for email in v32+

Steps

To write an email script, you can refer to the syntax on IBM Knowledge Center.

There is a generic email processing script provided on IBM App Exchange here.

Below are some sample email scripts that can be used with v32. We do not provide support on these scripts, they are for example purposes only.

PayPal_Phishing.py - this takes information from the email and adds it as artifacts and adds a note

import re

link_regex = re.compile(r".*\<(http://[^>]+)\>.*", re.IGNORECASE | re.DOTALL)

# (1) == Incident association ==
# (see if there's an existing incident or if we need to create one)
query_builder.contains(fields.incident.name, "PayPal")
query_builder.contains(fields.incident.name, "Phishing")
query = query_builder.build()

incidents = helper.findIncidents(query)

if len(incidents) > 0:
 emailmessage.associateWithIncident(incidents[0])
else:
 emailmessage.createAssociatedIncident("PayPal Phishing Campaign", "tony@stark.net")
 incident.incident_type_ids = "Phishing"
 
# (2) == Create relevant email artifacts ==
for recipient in emailmessage.to:
 incident.addArtifact("Email Recipient", recipient.address, "") # TO

for recipient in emailmessage.cc:
 incident.addArtifact("Email Recipient", recipient.address, "") # CC

incident.addArtifact("Email Sender", emailmessage.from.address, "") # SENDER 
incident.addArtifact("Email Sender Name", emailmessage.from.name, "") # SENDER NAME
incident.addArtifact("Email Subject", emailmessage.subject, "") # SUBJECT
incident.addArtifact("Email Body", emailmessage.body.content, "") # BODY
 
# (3) == Parse body for links ==
for url in re.findall(link_regex, emailmessage.body.content):
 incident.addArtifact("URL", url, "") # BODY
 
# (4) == Add header details as note ==
headers = ""
for header in emailmessage.headers:
 headers += "\n'" + header + "': " + str(emailmessage.headers[header])
incident.addNote("=== EMAIL HEADERS ===" + headers)

Upload_Email_Attachments_to_Incident.py - this add attachments (exclude inline attachments)

if bool(incident): # there's an associated incident ...
 for attachment in emailmessage.attachments:
 if not attachment.inline:
 incident.addEmailAttachment(attachment.id)
 incident.addArtifact("Email Attachment Name", attachment.suggested_filename, "")

If you would like to add email's inline attachments to incident's attachments, you can comment out the line in bold below:

if bool(incident): # there's an associated incident ...
 for attachment in emailmessage.attachments:
 #if not attachment.inline:
   incident.addEmailAttachment(attachment.id)
   incident.addArtifact("Email Attachment Name", attachment.suggested_filename, "")

Finally, the following quickly shows an example of what each element in the emailmessage.attachments array provides.

if len(emailmessage.attachments) > 0:
  log.info(str(emailmessage.attachments[0]))

Tests

This is a "catch all" script that is run if no other rules match first. It looks for incidents with the incident name that matches the subject of the email. If there is a match then the email is associated with the matching incident. If there is not a match then a new incident is created with an incident name that matches the email subject.

import re

link_regex = re.compile(r".*\<(http://[^>]+)\>.*", re.IGNORECASE | re.DOTALL)

emailid = (str( emailmessage.id))
sentfrom = (str( emailmessage.from.address))

# Attempt to look up an existing incident
#emailsubject = emailmessage.subject
query_builder.contains(fields.incident.name, emailmessage.subject)
query = query_builder.build()

incidents = helper.findIncidents(query)

if len(incidents) > 0:
 # found it! associate the email message with that
 emailmessage.associateWithIncident(incidents[0])
 # add a note stating that an email was associated with the incident
 incident.addNote( helper.createPlainText("Email with ID " + emailid + " sent from " + sentfrom + " was associated with this incident because the email subject matched the incident name"))
 # Create relevant email artifacts
 for recipient in emailmessage.cc:
 incident.addArtifact("Email Recipient", recipient.address, "") # CC
 incident.addArtifact("Email Sender", emailmessage.from.address, "") # SENDER
 #incident.addArtifact("Email Sender Name", emailmessage.from.name, "") # SENDER NAME
 incident.addArtifact("Email Subject", emailmessage.subject, "") # SUBJECT
 incident.addArtifact("Email Body", emailmessage.body.content, "") # BODY
 for recipient in emailmessage.to:
 incident.addArtifact("Email Recipient", recipient.address, "") # TO
 # Parse body for links
 for url in re.findall(link_regex, emailmessage.body.content):
 incident.addArtifact("URL", url, "") # BODY
 # Add header details as note
 headers = ""
 for header in emailmessage.headers:
 headers += "\n'" + header + "': " + str(emailmessage.headers[header])
 incident.addNote("=== EMAIL HEADERS ===" + headers)
 # Get attachments and add to the incident and add attachment name as an artifact
 for attachment in emailmessage.attachments:
 if not attachment.inline:
 incident.addEmailAttachment(attachment.id)
 incident.addArtifact("Email Attachment Name", attachment.suggested_filename, "")
 
else:
 # no match, so create a new incident (owned by the specified user)
 emailmessage.createAssociatedIncident(str( emailmessage.subject), "resilient.admin@example.com")
 incident.description = emailmessage.body.content
 incident.reporter = emailmessage.from.address
 # Create relevant email artifacts
 for recipient in emailmessage.to:
 incident.addArtifact("Email Recipient", recipient.address, "") # TO
 for recipient in emailmessage.cc:
 incident.addArtifact("Email Recipient", recipient.address, "") # CC
 incident.addArtifact("Email Sender", emailmessage.from.address, "") # SENDER
 #incident.addArtifact("Email Sender Name", emailmessage.from.name, "") # SENDER NAME
 incident.addArtifact("Email Subject", emailmessage.subject, "") # SUBJECT
 incident.addArtifact("Email Body", emailmessage.body.content, "") # BODY
 # Parse body for links
 for url in re.findall(link_regex, emailmessage.body.content):
 incident.addArtifact("URL", url, "") # BODY
 # Add header details as note
 headers = ""
 for header in emailmessage.headers:
 headers += "\n'" + header + "': " + str(emailmessage.headers[header])
 incident.addNote("=== EMAIL HEADERS ===" + headers)
 # Get attachments and add to the incident and add attachment name as an artifact
 for attachment in emailmessage.attachments:
 if not attachment.inline:
 incident.addEmailAttachment(attachment.id)
 incident.addArtifact("Email Attachment Name", attachment.suggested_filename, "")

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSIP9Q","label":"IBM Security SOAR"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
19 April 2021

UID

ibm11160122

Page Feedback