Example script for email parsing
The Orchestration & Automation application contains a Python script called "Sample script: process inbound email (v32.2)".
The script can perform email parsing on email message objects, as follows:
- If there is an existing incident exists whose title reflects the email message received, the script associates the email message with the existing incident.
- If there is not an existing incident, the script performs the following:
- Creates a new incident with a suitable title.
- Associates the email message with the new incident.
- Adds the email message's subject as an artifact to the new incident.
- Sets the incident's reporter field to be the email address that sent the message.
- Parses the email body text looking for URLs, IP addresses and file hashes. After filtering out invalid and whitelisted values, it adds the remaining data to the incident as artifacts.
- Adds non-inline email message attachments to the incident.
To run the script, you must have a mailbox connection to retrieve email messages from an email server, and the rule that calls it must have Email Message as the Object Type.