Example script for email parsing

The Orchestration & Automation application contains a Python script called "Sample script: process inbound email (v32.2)".

The script can perform email parsing on email message objects, as follows:
  • If there is an existing incident exists whose title reflects the email message received, the script associates the email message with the existing incident.
  • If there is not an existing incident, the script performs the following:
    • Creates a new incident with a suitable title.
    • Associates the email message with the new incident.
    • Adds the email message's subject as an artifact to the new incident.
    • Sets the incident's reporter field to be the email address that sent the message.
  • Parses the email body text looking for URLs, IP addresses and file hashes. After filtering out invalid and whitelisted values, it adds the remaining data to the incident as artifacts.
  • Adds non-inline email message attachments to the incident.

To run the script, you must have a mailbox connection to retrieve email messages from an email server, and the rule that calls it must have Email Message as the Object Type.