From c3683faf74c688f35f2d1aa56e63047cff2b35cd Mon Sep 17 00:00:00 2001 From: JonathanMeler Date: Tue, 21 Aug 2018 16:51:20 +0300 Subject: [PATCH] Get Original Email - Generic (#1990) * Get Original Email - Generic Supports: * EWS (Get Original Email - EWS) * Gmail (Get Original Email - Gmail) Tests: * Get Original Message - EWS - Test * Get Original Message - Gmail - Test * temp script fix * missing field * Fix version issue * fixes jask test --- .../playbook-Get_Original_Email_-_EWS.yml | 510 ++++++++++++++ .../playbook-Get_Original_Email_-_Generic.yml | 152 ++++ .../playbook-Get_Original_Email_-_Gmail.yml | 597 ++++++++++++++++ .../playbook-Process_Email_-_Generic.yml | 230 ++++-- .../playbook-Process_Email_-_Generic_3_6.yml | 654 ++++++++++++++++++ ...aybook-Get_Original_Email_-_EWS_-_Test.yml | 129 ++++ ...book-Get_Original_Email_-_Gmail_-_Test.yml | 125 ++++ TestPlaybooks/playbook-Jask_Test.yml | 2 +- Tests/conf.json | 8 + content_creator.py | 6 +- 10 files changed, 2354 insertions(+), 59 deletions(-) create mode 100644 Playbooks/playbook-Get_Original_Email_-_EWS.yml create mode 100644 Playbooks/playbook-Get_Original_Email_-_Generic.yml create mode 100644 Playbooks/playbook-Get_Original_Email_-_Gmail.yml create mode 100644 Playbooks/playbook-Process_Email_-_Generic_3_6.yml create mode 100644 TestPlaybooks/playbook-Get_Original_Email_-_EWS_-_Test.yml create mode 100644 TestPlaybooks/playbook-Get_Original_Email_-_Gmail_-_Test.yml diff --git a/Playbooks/playbook-Get_Original_Email_-_EWS.yml b/Playbooks/playbook-Get_Original_Email_-_EWS.yml new file mode 100644 index 000000000000..39e3f6eb7d6b --- /dev/null +++ b/Playbooks/playbook-Get_Original_Email_-_EWS.yml @@ -0,0 +1,510 @@ +id: get_original_email_-_ews +version: -1 +name: Get Original Email - EWS +fromversion: 4.0 +description: |- + Use this playbook to retrieve the original email in the thread, including headers and attahcments, when the reporting user forwarded the original email not as an attachment. + + You must have the necessary permissions in the EWS integration to execute global search: eDiscovery +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: 5607d1c6-85b0-4181-8b10-bb3a5b113c6f + type: start + task: + id: 5607d1c6-85b0-4181-8b10-bb3a5b113c6f + version: -1 + name: "" + description: "" + iscommand: false + brand: "" + nexttasks: + '#none#': + - "1" + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 50 + } + } + note: false + "1": + id: "1" + taskid: 03f2c080-1995-42fc-82ce-16d474fb5438 + type: condition + task: + id: 03f2c080-1995-42fc-82ce-16d474fb5438 + version: -1 + name: Is EWS v2 enabled? + description: | + Verifies that there is an active instance of the EWS v2 integration enabled. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "yes": + - "3" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: modules.brand + iscontext: true + right: + value: + simple: EWS v2 + ignorecase: true + - - operator: isEqualString + left: + value: + simple: modules.state + iscontext: true + right: + value: + simple: active + ignorecase: true + accessor: brand + iscontext: true + view: |- + { + "position": { + "x": 50, + "y": 195 + } + } + note: false + "2": + id: "2" + taskid: d2eca123-db35-4b27-88d8-a8b77ffd6784 + type: title + task: + id: d2eca123-db35-4b27-88d8-a8b77ffd6784 + version: -1 + name: Done + description: "" + type: title + iscommand: false + brand: "" + separatecontext: false + view: |- + { + "position": { + "x": -54, + "y": 1744 + } + } + note: false + "3": + id: "3" + taskid: b2617aaf-5e54-43f5-89fe-82fc78cd099b + type: condition + task: + id: b2617aaf-5e54-43f5-89fe-82fc78cd099b + version: -1 + name: Verify required inputs + description: Verify that the required input values for retrieving the original + email exists. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "yes": + - "4" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + complex: + root: inputs.InReplyTo + iscontext: true + - - operator: isExists + left: + value: + complex: + root: inputs.ThreadTopic + iscontext: true + - - operator: isExists + left: + value: + complex: + root: inputs.Mailbox + iscontext: true + view: |- + { + "position": { + "x": 162.5, + "y": 370 + } + } + note: false + "4": + id: "4" + taskid: f3c1bfda-b3c0-4c7c-8fce-fb180ff6fd07 + type: regular + task: + id: f3c1bfda-b3c0-4c7c-8fce-fb180ff6fd07 + version: -1 + name: Search for messages by Thread-Topic + description: Retrieve all messages found in the thread of the forwarded email. + script: EWS v2|||ews-search-mailbox + type: regular + iscommand: true + brand: EWS v2 + nexttasks: + '#none#': + - "6" + scriptarguments: + folder-path: {} + limit: {} + query: + simple: subject:"${inputs.ThreadTopic}" + target-mailbox: + complex: + root: inputs.Mailbox + separatecontext: false + view: |- + { + "position": { + "x": 357.5, + "y": 545 + } + } + note: false + "5": + id: "5" + taskid: 25f6439f-778f-45a5-841a-53efe77d590c + type: condition + task: + id: 25f6439f-778f-45a5-841a-53efe77d590c + version: -1 + name: Was a matching email found? + description: Verify that an email object with a Message-Id that matches the + InReplayTo ID of the forwarded email was found. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "yes": + - "7" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + complex: + root: EWSItem + filters: + - - operator: isEqualString + left: + value: + simple: EWSItem.messageId + iscontext: true + right: + value: + simple: inputs.InReplyTo + iscontext: true + accessor: messageId + iscontext: true + view: |- + { + "position": { + "x": 357.5, + "y": 1070 + } + } + note: false + "6": + id: "6" + taskid: c729f95f-bc75-477e-8000-14c99346873d + type: regular + task: + id: c729f95f-bc75-477e-8000-14c99346873d + version: -1 + name: Set context + description: Set email object to context. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "8" + scriptarguments: + append: {} + key: + simple: EWSItem + value: + complex: + root: EWS + accessor: Items + separatecontext: false + view: |- + { + "position": { + "x": 357.5, + "y": 720 + } + } + note: false + "7": + id: "7" + taskid: 6f28ff90-80ff-414e-819b-310a51183da4 + type: regular + task: + id: 6f28ff90-80ff-414e-819b-310a51183da4 + version: -1 + name: Get original email + description: Get the original email from the EWS server. + script: EWS v2|||ews-get-items + type: regular + iscommand: true + brand: EWS v2 + nexttasks: + '#none#': + - "10" + scriptarguments: + item-ids: + complex: + root: EWSItem + filters: + - - operator: isEqualString + left: + value: + simple: EWSItem.messageId + iscontext: true + right: + value: + simple: inputs.InReplyTo + iscontext: true + accessor: itemId + target-mailbox: + complex: + root: inputs.mailbox + separatecontext: false + view: |- + { + "position": { + "x": 592.5, + "y": 1245 + } + } + note: false + "8": + id: "8" + taskid: 8764cbb0-dd56-4095-8df2-e77035713e2e + type: regular + task: + id: 8764cbb0-dd56-4095-8df2-e77035713e2e + version: -1 + name: Delete old context + description: Delete the email objects from context. + scriptName: DeleteContext + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "5" + scriptarguments: + all: {} + key: + simple: EWS + keysToKeep: {} + subplaybook: + simple: "yes" + separatecontext: false + view: |- + { + "position": { + "x": 357.5, + "y": 895 + } + } + note: false + "9": + id: "9" + taskid: fab3c34b-010a-4203-830a-7dbf0dde26e5 + type: regular + task: + id: fab3c34b-010a-4203-830a-7dbf0dde26e5 + version: -1 + name: Set output + description: Set the playbook outputs to context. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + scriptarguments: + append: {} + key: + simple: Email + value: + simple: '${EWS.Items={Subject: val[''subject''], To: val[''toRecipients''], + From: val[''sender''], Text: val[''textBody''],HTML: val[''body''], Headers: + val[''headers'']}}' + separatecontext: false + view: |- + { + "position": { + "x": 827.5, + "y": 1595 + } + } + note: false + "10": + id: "10" + taskid: 75ab61a9-a6cf-4d74-842f-67436507b8f4 + type: condition + task: + id: 75ab61a9-a6cf-4d74-842f-67436507b8f4 + version: -1 + name: Was the original email found? + description: Verifies that the original email is in context. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "yes": + - "11" + - "9" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + complex: + root: EWS + accessor: Items.itemId + iscontext: true + view: |- + { + "position": { + "x": 592.5, + "y": 1420 + } + } + note: false + "11": + id: "11" + taskid: 427d5e37-2e56-4522-8e69-caabe8fd70d9 + type: regular + task: + id: 427d5e37-2e56-4522-8e69-caabe8fd70d9 + version: -1 + name: Get attachments of the original email + description: Retrieve the attachments of the original email from EWS, including + file attachments and item attachments (other email, calendar item, etc.). + script: EWS v2|||ews-get-attachment + type: regular + iscommand: true + brand: EWS v2 + nexttasks: + '#none#': + - "2" + scriptarguments: + attachment-ids: {} + item-id: + complex: + root: EWS + accessor: Items.itemId + target-mailbox: + complex: + root: inputs.Mailbox + separatecontext: false + view: |- + { + "position": { + "x": 397.5, + "y": 1595 + } + } + note: false +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 1759, + "width": 1261.5, + "x": -54, + "y": 50 + } + } + } +inputs: +- key: Mailbox + value: + complex: + root: incident + accessor: labels.Email + required: false + description: Email address of the reporting user. +- key: InReplyTo + value: + complex: + root: incident + accessor: labels.Email/Header/In-Reply-To + required: false + description: The InReplyTo header in the forwarded email. +- key: ThreadTopic + value: + complex: + root: incident + accessor: labels.Email/Header/Thread-Topic + required: false + description: The ThreadTopic header in the forwarded email. +outputs: +- contextPath: Email + description: The email object + type: unknown +- contextPath: Email.To + description: The recipient of the email + type: string +- contextPath: Email.From + description: The sender of the email + type: string +- contextPath: Email.HTML + description: The email HTML + type: string +- contextPath: Email.Body + description: The email text body + type: string +- contextPath: Email.Headers + description: The email headers + type: unknown +- contextPath: Email.Subject + description: The email subject + type: string +- contextPath: File + description: Original attachments + type: unknown diff --git a/Playbooks/playbook-Get_Original_Email_-_Generic.yml b/Playbooks/playbook-Get_Original_Email_-_Generic.yml new file mode 100644 index 000000000000..fc90ca01dc91 --- /dev/null +++ b/Playbooks/playbook-Get_Original_Email_-_Generic.yml @@ -0,0 +1,152 @@ +id: get_original_email_-_generic +version: -1 +name: Get Original Email - Generic +fromversion: 4.0 +description: |- + Use this playbook to retrieve the original email in the thread, including headers and attahcments, when the reporting user forwarded the original email not as an attachment. + + You must have the necessary permissions in your email service to execute global search. + + - EWS: eDiscovery + - Gmail: Google Apps Domain-Wide Delegation of Authority +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: d7920fee-8ada-4d48-8197-2e08d19a54dc + type: start + task: + id: d7920fee-8ada-4d48-8197-2e08d19a54dc + version: -1 + name: "" + description: "" + iscommand: false + brand: "" + nexttasks: + '#none#': + - "5" + - "6" + separatecontext: false + view: |- + { + "position": { + "x": 265, + "y": 50 + } + } + note: false + "3": + id: "3" + taskid: b52aade3-aa90-4343-8417-d4aa26803d62 + type: title + task: + id: b52aade3-aa90-4343-8417-d4aa26803d62 + version: -1 + name: Done + description: "" + type: title + iscommand: false + brand: "" + separatecontext: false + view: |- + { + "position": { + "x": 265, + "y": 370 + } + } + note: false + "5": + id: "5" + taskid: 15614485-18d3-4fdb-8ef1-ef2e2f1e503b + type: playbook + task: + id: 15614485-18d3-4fdb-8ef1-ef2e2f1e503b + version: -1 + name: Get Original Message - EWS + description: "" + playbookName: Get Original Email - EWS + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + separatecontext: true + view: |- + { + "position": { + "x": 50, + "y": 195 + } + } + note: false + "6": + id: "6" + taskid: eaebbf2e-aa04-4581-8157-2f55adc08880 + type: playbook + task: + id: eaebbf2e-aa04-4581-8157-2f55adc08880 + version: -1 + name: Get Original Message - Gmail + description: "" + playbookName: Get Original Email - Gmail + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + separatecontext: true + view: |- + { + "position": { + "x": 480, + "y": 195 + } + } + note: false +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 385, + "width": 810, + "x": 50, + "y": 50 + } + } + } +inputs: [] +outputs: +- contextPath: Email + description: The email object + type: unknown +- contextPath: File + description: Original attachments + type: unknown +- contextPath: Email.To + description: The recipient of the email + type: string +- contextPath: Email.From + description: The sender of the email + type: string +- contextPath: Email.CC + description: The CC address of the email + type: string +- contextPath: Email.BCC + description: The BCC address of the email + type: string +- contextPath: Email.HTML + description: The email HTML + type: string +- contextPath: Email.Body + description: The email text body + type: string +- contextPath: Email.Headers + description: The email headers + type: unknown +- contextPath: Email.Subject + description: The email subject + type: string diff --git a/Playbooks/playbook-Get_Original_Email_-_Gmail.yml b/Playbooks/playbook-Get_Original_Email_-_Gmail.yml new file mode 100644 index 000000000000..8efe7480e0e2 --- /dev/null +++ b/Playbooks/playbook-Get_Original_Email_-_Gmail.yml @@ -0,0 +1,597 @@ +id: get_original_email_-_gmail +version: -1 +name: Get Original Email - Gmail +fromversion: 4.0 +description: | + Use this playbook to retrieve the original email in the thread, including headers and attahcments, when the reporting user forwarded the original email not as an attachment. + + You must have the necessary permissions in your Gmail service to execute global search: Google Apps Domain-Wide Delegation of Authority +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: d8403573-b211-4d44-885c-a365045c61a2 + type: start + task: + id: d8403573-b211-4d44-885c-a365045c61a2 + version: -1 + name: "" + description: "" + iscommand: false + brand: "" + nexttasks: + '#none#': + - "2" + separatecontext: false + view: |- + { + "position": { + "x": 152.5, + "y": 50 + } + } + note: false + "2": + id: "2" + taskid: 81842102-b7a7-4202-8319-54c4b8660756 + type: condition + task: + id: 81842102-b7a7-4202-8319-54c4b8660756 + version: -1 + name: Is Gmail enabled? + description: | + Verifies that there is an active instance of the Gmail integration enabled. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "3" + "yes": + - "4" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + complex: + root: modules + filters: + - - operator: isEqualString + left: + value: + simple: modules.brand + iscontext: true + right: + value: + simple: Gmail + ignorecase: true + - - operator: isEqualString + left: + value: + simple: modules.state + iscontext: true + right: + value: + simple: active + ignorecase: true + accessor: brand + iscontext: true + view: |- + { + "position": { + "x": 152.5, + "y": 195 + } + } + note: false + "3": + id: "3" + taskid: 185c00fb-4375-4607-8b99-7538c88315bc + type: title + task: + id: 185c00fb-4375-4607-8b99-7538c88315bc + version: -1 + name: Done + description: "" + type: title + iscommand: false + brand: "" + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 2120 + } + } + note: false + "4": + id: "4" + taskid: cc460fc4-1d86-464c-8853-e996eed85049 + type: regular + task: + id: cc460fc4-1d86-464c-8853-e996eed85049 + version: -1 + name: Retrieve the forwarded email from Gmail + description: Get the data and metadata of the forwarded email from the Gmail + service. + script: Gmail|||gmail-get-mail + type: regular + iscommand: true + brand: Gmail + nexttasks: + '#none#': + - "5" + scriptarguments: + format: {} + message-id: + complex: + root: inputs.EmailID + user-id: + complex: + root: inputs.User + user-key: + complex: + root: inputs.User + separatecontext: false + view: |- + { + "position": { + "x": 265, + "y": 370 + } + } + note: false + "5": + id: "5" + taskid: 18de5315-16b2-4d5c-8a81-2c50623ea89d + type: condition + task: + id: 18de5315-16b2-4d5c-8a81-2c50623ea89d + version: -1 + name: Was the original email retrieved? + description: Verify that there is a Gmail email object in the context. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "3" + "yes": + - "7" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + complex: + root: Gmail + accessor: ID + iscontext: true + view: |- + { + "position": { + "x": 265, + "y": 545 + } + } + note: false + "6": + id: "6" + taskid: c09ebecb-9dc8-4e00-8fe4-0dbf0cd27d32 + type: condition + task: + id: c09ebecb-9dc8-4e00-8fe4-0dbf0cd27d32 + version: -1 + name: Was the forwarded email data retrieved? + description: Verify that the InReplyTo and Subject fields are in context. + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "3" + "yes": + - "8" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + complex: + root: GmailSubject + iscontext: true + - - operator: isExists + left: + value: + simple: InReplyTo + iscontext: true + view: |- + { + "position": { + "x": 377.5, + "y": 1244 + } + } + note: false + "7": + id: "7" + taskid: ea86d0cc-f9dc-4496-812c-bd3f5c52d08c + type: regular + task: + id: ea86d0cc-f9dc-4496-812c-bd3f5c52d08c + version: -1 + name: Set context + description: Set the InReplyTo field to context. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "9" + scriptarguments: + append: {} + key: + simple: InReplyTo + value: + simple: ${Gmail.Headers(val.Name == "In-Reply-To").Value} + separatecontext: false + view: |- + { + "position": { + "x": 377.5, + "y": 720 + } + } + note: false + "8": + id: "8" + taskid: 13ee64a0-66aa-4265-8995-62cf1f44982c + type: regular + task: + id: 13ee64a0-66aa-4265-8995-62cf1f44982c + version: -1 + name: Search for original email + description: Search Gmail for the original email. + script: Gmail|||gmail-search + type: regular + iscommand: true + brand: Gmail + nexttasks: + '#none#': + - "14" + scriptarguments: + after: {} + before: {} + fields: {} + filename: {} + from: {} + has-attachments: {} + in: {} + include-spam-trash: {} + labels-ids: {} + max-results: {} + page-token: {} + query: {} + subject: + complex: + root: GmailSubject + to: {} + user-id: + complex: + root: inputs.From + user-key: + complex: + root: inputs.From + separatecontext: false + view: |- + { + "position": { + "x": 490, + "y": 1420 + } + } + note: false + "9": + id: "9" + taskid: 4bf99d41-0f5c-4f08-8c98-785cb0e5503d + type: regular + task: + id: 4bf99d41-0f5c-4f08-8c98-785cb0e5503d + version: -1 + name: Set context + description: Set the Subject field to context stripped of all prefixes. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "10" + scriptarguments: + append: {} + key: + simple: GmailSubject + value: + complex: + root: Gmail + accessor: Subject + transformers: + - operator: replaceMatch + args: + regex: + value: + simple: (?i)([\[\(] *)?(RE|FWD?) *([-:;)\]][ :;\])-]*|$)|\]+ *$ + replaceWith: {} + separatecontext: false + view: |- + { + "position": { + "x": 377.5, + "y": 895 + } + } + note: false + "10": + id: "10" + taskid: 4dbd3cc6-ae7c-4de5-89d2-b3e1b47acec5 + type: regular + task: + id: 4dbd3cc6-ae7c-4de5-89d2-b3e1b47acec5 + version: -1 + name: Delete old context + description: Delete the forwarded Gmail email object from context. + scriptName: DeleteContext + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "6" + scriptarguments: + all: {} + key: + simple: Gmail + keysToKeep: {} + subplaybook: + simple: "yes" + separatecontext: false + view: |- + { + "position": { + "x": 377.5, + "y": 1070 + } + } + note: false + "12": + id: "12" + taskid: 7e75aef4-9998-407c-8ace-b342f3ef812f + type: regular + task: + id: 7e75aef4-9998-407c-8ace-b342f3ef812f + version: -1 + name: Set context + description: Set the original email to context. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "13" + - "15" + scriptarguments: + append: {} + key: + simple: OriginalEmail + value: + simple: ${.=val.Gmail.filter(g => g.Headers.filter(h => h.Name === "Message-ID" + && h.Value == val.InReplyTo).length > 0)} + separatecontext: false + view: |- + { + "position": { + "x": 602.5, + "y": 1770 + } + } + note: false + "13": + id: "13" + taskid: 29868c31-fc31-4b25-8523-5a9c937af420 + type: regular + task: + id: 29868c31-fc31-4b25-8523-5a9c937af420 + version: -1 + name: Get attachments of the original email + description: Retrieve the attachments of the original email from Gmail. + script: Gmail|||gmail-get-attachments + type: regular + iscommand: true + brand: Gmail + nexttasks: + '#none#': + - "3" + scriptarguments: + message-id: + complex: + root: OriginalEmail + accessor: ID + user-id: + complex: + root: OriginalEmail + accessor: Mailbox + user-key: + complex: + root: OriginalEmail + accessor: Mailbox + separatecontext: false + view: |- + { + "position": { + "x": 387.5, + "y": 1945 + } + } + note: false + "14": + id: "14" + taskid: 0ce28338-abb6-4b8d-8155-3444a9df6ca9 + type: condition + task: + id: 0ce28338-abb6-4b8d-8155-3444a9df6ca9 + version: -1 + name: Was the original email retrieved? + description: Verify that the original email is in context (matched by the InReplyTo + ID). + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "3" + "yes": + - "12" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + simple: ${.=val.Gmail.filter(g => g.Headers.filter(h => h.Name === "Message-ID" + && h.Value == val.InReplyTo).length > 0)} + iscontext: false + view: |- + { + "position": { + "x": 490, + "y": 1595 + } + } + note: false + "15": + id: "15" + taskid: 7c1f40cb-1a0e-44dd-8d87-ff2fd67e572c + type: regular + task: + id: 7c1f40cb-1a0e-44dd-8d87-ff2fd67e572c + version: -1 + name: Set output + description: Set the playbook outputs to context. + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + append: {} + key: + simple: Email + value: + simple: '${OriginalEmail={Subject: val[''Subject''], To: val[''To''], From: + val[''From''], Text: val[''Body''], HTML: val[''HTML''], Headers: val[''Headers''], + CC: val[''CC''], BCC: val[''BCC'']}}' + separatecontext: false + view: |- + { + "position": { + "x": 817.5, + "y": 1945 + } + } + note: false +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 2135, + "width": 1147.5, + "x": 50, + "y": 50 + } + } + } +inputs: +- key: EmailID + value: + complex: + root: incident + accessor: emailmessageid + required: false + description: Email ID of the forwarded message. +- key: User + value: + complex: + root: incident + accessor: emailto + transformers: + - operator: replaceMatch + args: + regex: + value: + simple: (?i).*<([A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,})> + replaceWith: + value: + simple: $1 + required: false + description: Email address of the reporting user. +- key: From + value: + complex: + root: incident + accessor: emailfrom + transformers: + - operator: replaceMatch + args: + regex: + value: + simple: (?i).*<([A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,})> + replaceWith: + value: + simple: $1 + required: false + description: Email address of the thread originator. +outputs: +- contextPath: Email + description: The email object + type: unknown +- contextPath: Email.To + description: The recipient of the email + type: string +- contextPath: Email.From + description: The sender of the email + type: string +- contextPath: Email.CC + description: The CC address of the email + type: string +- contextPath: Email.BCC + description: The BCC address of the email + type: string +- contextPath: Email.HTML + description: The email HTML + type: string +- contextPath: Email.Body + description: The email text body + type: string +- contextPath: Email.Headers + description: The email headers + type: string +- contextPath: Email.Subject + description: The email subject + type: string +- contextPath: File + description: Original attachments + type: unknown diff --git a/Playbooks/playbook-Process_Email_-_Generic.yml b/Playbooks/playbook-Process_Email_-_Generic.yml index 59f5733568ab..2b71a1c8a8ed 100644 --- a/Playbooks/playbook-Process_Email_-_Generic.yml +++ b/Playbooks/playbook-Process_Email_-_Generic.yml @@ -1,8 +1,8 @@ id: process_email_-_generic version: -1 name: Process Email - Generic -fromversion: 3.6.0 -releaseNotes: "-" +fromversion: 4.0 +releaseNotes: "Add support for retrieving the original email from both EWS and Gmail mail serveices" description: Add email details to the relevant context entities and handle the case where original emails are attached. starttaskid: "0" @@ -21,15 +21,15 @@ tasks: nexttasks: '#none#': - "1" - reputationcalc: 0 separatecontext: false view: |- { "position": { - "x": 265, + "x": 377.5, "y": 50 } } + note: false "1": id: "1" taskid: 70863b9a-af3f-4f0a-8e91-cae2c88f5488 @@ -46,7 +46,7 @@ tasks: brand: "" nexttasks: "no": - - "2" + - "16" "yes": - "3" scriptarguments: @@ -55,15 +55,15 @@ tasks: v2 document') >= 0 || val.Type.toLowerCase().indexOf('rfc 822 mail') >= 0 || val.Extension == 'eml' && val.Type.toLowerCase().indexOf('ascii') >= 0 && val.Type.toLowerCase().indexOf('crlf') >= 0).EntryID} - reputationcalc: 0 separatecontext: false view: |- { "position": { - "x": 265, + "x": 377.5, "y": 195 } } + note: false "2": id: "2" taskid: 0dd910be-f198-4b5d-8dbb-8d7170049463 @@ -93,10 +93,11 @@ tasks: view: |- { "position": { - "x": 51, - "y": 370 + "x": 50, + "y": 895 } } + note: false "3": id: "3" taskid: 4ac2b332-b76d-463e-824e-717895c5b644 @@ -119,17 +120,17 @@ tasks: v2 document') >= 0 || val.Type.toLowerCase().indexOf('rfc 822 mail') >= 0 || val.Extension == 'eml' && val.Type.toLowerCase().indexOf('ascii') >= 0 && val.Type.toLowerCase().indexOf('crlf') >= 0).EntryID} - reputationcalc: 0 results: - AttachmentName separatecontext: false view: |- { "position": { - "x": 480, - "y": 370 + "x": 592.5, + "y": 720 } } + note: false "4": id: "4" taskid: be6f6daf-0497-423e-8a48-d669ccad567f @@ -147,12 +148,11 @@ tasks: - "6" "yes": - "5" - reputationcalc: 0 separatecontext: false conditions: - label: "yes" condition: - - - operator: general.isExists + - - operator: isExists left: value: complex: @@ -162,10 +162,11 @@ tasks: view: |- { "position": { - "x": 265, - "y": 865 + "x": 377.5, + "y": 1215 } } + note: false "5": id: "5" taskid: 2373f9de-c13d-42ca-84be-8735743156e6 @@ -190,15 +191,15 @@ tasks: accessor: HTML type: {} width: {} - reputationcalc: 0 separatecontext: false view: |- { "position": { - "x": 377.5, - "y": 1040 + "x": 490, + "y": 1390 } } + note: false "6": id: "6" taskid: dd0d5106-965e-4a81-8e67-79392ea47d7f @@ -211,15 +212,15 @@ tasks: type: title iscommand: false brand: "" - reputationcalc: 0 separatecontext: false view: |- { "position": { - "x": 265, - "y": 1565 + "x": 377.5, + "y": 1915 } } + note: false "11": id: "11" taskid: 104966c4-8595-4a5a-8c75-c84f55e51c84 @@ -235,21 +236,21 @@ tasks: nexttasks: '#none#': - "4" - reputationcalc: 0 separatecontext: false view: |- { "position": { - "x": 265, - "y": 720 + "x": 377.5, + "y": 1070 } } + note: false "13": id: "13" - taskid: 42e12a9b-7195-44bc-8606-fce3495e3b04 + taskid: 5396db88-5a6a-4e25-8a9f-40c5c27aaedf type: regular task: - id: 42e12a9b-7195-44bc-8606-fce3495e3b04 + id: 5396db88-5a6a-4e25-8a9f-40c5c27aaedf version: -1 name: Set incident with the Email object data description: "" @@ -287,36 +288,36 @@ tasks: root: Email accessor: BCC transformers: - - operator: general.uniq - - operator: general.Stringify + - operator: uniq + - operator: Stringify emailbody: complex: root: Email accessor: Text transformers: - - operator: general.Stringify + - operator: Stringify emailbodyformat: {} emailbodyhtml: complex: root: Email accessor: HTML transformers: - - operator: general.Stringify + - operator: Stringify emailcc: complex: root: Email accessor: CC transformers: - - operator: general.uniq - - operator: general.Stringify + - operator: uniq + - operator: Stringify emailclientname: {} emailfrom: complex: root: Email accessor: From transformers: - - operator: general.uniq - - operator: general.Stringify + - operator: uniq + - operator: Stringify emailkeywords: {} emailmessageid: {} emailreceived: {} @@ -330,15 +331,15 @@ tasks: root: Email accessor: Subject transformers: - - operator: general.uniq - - operator: general.Stringify + - operator: uniq + - operator: Stringify emailto: complex: root: Email accessor: To transformers: - - operator: general.uniq - - operator: general.Stringify + - operator: uniq + - operator: Stringify emailtocount: {} emailurlclicked: {} eventid: {} @@ -348,6 +349,8 @@ tasks: filehash: {} filename: {} filepath: {} + htmlimage: {} + htmlrenderedimage: {} id: {} important: {} importantfield: {} @@ -392,10 +395,11 @@ tasks: view: |- { "position": { - "x": 480, - "y": 545 + "x": 592.5, + "y": 895 } } + note: false "14": id: "14" taskid: 89a7a856-46ff-46f6-8f1c-b2f772c12881 @@ -462,6 +466,9 @@ tasks: filename: {} filepath: {} htmlimage: + simple: | + ![HTML render](data:image/png;base64,${Base64.encoded}) + htmlrenderedimage: simple: '![HTML render](data:image/png;base64,${Base64.encoded})' id: {} important: {} @@ -502,15 +509,15 @@ tasks: vendorid: {} vendorproduct: {} vulnerabilitycategory: {} - reputationcalc: 0 separatecontext: false view: |- { "position": { - "x": 490, - "y": 1390 + "x": 377.5, + "y": 1740 } } + note: false "15": id: "15" taskid: 50661f40-4640-4b90-8f01-8143cec44c79 @@ -528,12 +535,11 @@ tasks: - "6" "yes": - "14" - reputationcalc: 0 separatecontext: false conditions: - label: "yes" condition: - - - operator: general.isExists + - - operator: isExists left: value: simple: Base64.encoded @@ -541,18 +547,116 @@ tasks: view: |- { "position": { - "x": 377.5, - "y": 1215 + "x": 490, + "y": 1565 + } + } + note: false + "16": + id: "16" + taskid: bc0dd5a2-6073-4f44-8abc-9bc48e3e08c1 + type: condition + task: + id: bc0dd5a2-6073-4f44-8abc-9bc48e3e08c1 + version: -1 + name: Should retrieve the original email? + description: If True, retrieve the original email in the thread + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "yes": + - "17" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isEqualString + left: + value: + simple: inputs.GetOriginalEmail + iscontext: true + right: + value: + simple: "True" + ignorecase: true + view: |- + { + "position": { + "x": 263, + "y": 370 + } + } + note: false + "17": + id: "17" + taskid: e6915e5d-bdca-4d59-8636-2e65b2e680e1 + type: playbook + task: + id: e6915e5d-bdca-4d59-8636-2e65b2e680e1 + version: -1 + name: Get Original Message - Generic + description: "" + playbookName: Get Original Email - Generic + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "18" + separatecontext: true + view: |- + { + "position": { + "x": 50, + "y": 545 + } + } + note: false + "18": + id: "18" + taskid: 9a505e0b-27c1-424a-880a-253135d80683 + type: condition + task: + id: 9a505e0b-27c1-424a-880a-253135d80683 + version: -1 + name: Was the original email retrieved? + description: Is there an email object in the context? + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "2" + "yes": + - "13" + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: isExists + left: + value: + simple: Email + iscontext: true + view: |- + { + "position": { + "x": 50, + "y": 698 } } + note: false view: |- { "linkLabelsPosition": {}, "paper": { "dimensions": { - "height": 1580, - "width": 819, - "x": 51, + "height": 1930, + "width": 922.5, + "x": 50, "y": 50 } } @@ -620,13 +724,24 @@ inputs: accessor: labels.Email/format required: false description: The email’s format +- key: GetOriginalEmail + value: + simple: "False" + required: false + description: |- + Retrieve the original email in the thread. Default is "False". + + You must have the necessary permissions in your email service to execute global search. + + - EWS: eDiscovery + - Gmail: Google Apps Domain-Wide Delegation of Authority outputs: +- contextPath: Email.HTML + description: Email 'html' body if exists + type: string - contextPath: Email description: Email object type: unknown -- contextPath: Email.To - description: Email 'to' addresses - type: string - contextPath: Email.CC description: Email 'cc' addresses type: string @@ -636,8 +751,8 @@ outputs: - contextPath: Email.Subject description: Email subject type: string -- contextPath: Email.HTML - description: Email 'html' body if exists +- contextPath: Email.To + description: Email 'to' addresses type: string - contextPath: Email.Text description: Email 'text' body if exists @@ -651,3 +766,6 @@ outputs: - contextPath: Email.Format description: The format of the email if available type: string +- contextPath: File + description: The File object + type: unknown diff --git a/Playbooks/playbook-Process_Email_-_Generic_3_6.yml b/Playbooks/playbook-Process_Email_-_Generic_3_6.yml new file mode 100644 index 000000000000..6c1f56fc105d --- /dev/null +++ b/Playbooks/playbook-Process_Email_-_Generic_3_6.yml @@ -0,0 +1,654 @@ +id: process_email_-_generic +version: -1 +name: Process Email - Generic +fromversion: 3.6.0 +toversion: 4.0 +releaseNotes: "-" +description: Add email details to the relevant context entities and handle the case + where original emails are attached. +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: ccd00127-175c-4a93-8edb-14e71f7d47ea + type: start + task: + id: ccd00127-175c-4a93-8edb-14e71f7d47ea + version: -1 + name: "" + description: "" + iscommand: false + brand: "" + nexttasks: + '#none#': + - "1" + reputationcalc: 0 + separatecontext: false + view: |- + { + "position": { + "x": 265, + "y": 50 + } + } + "1": + id: "1" + taskid: 70863b9a-af3f-4f0a-8e91-cae2c88f5488 + type: condition + task: + id: 70863b9a-af3f-4f0a-8e91-cae2c88f5488 + version: -1 + name: Do we have original emails attached? + description: Check if we have any attachments with relevant attachment types + like eml or rfc822 + scriptName: Exists + type: condition + iscommand: false + brand: "" + nexttasks: + "no": + - "2" + "yes": + - "3" + scriptarguments: + value: + simple: ${inputs.File(val.Type.toLowerCase().indexOf('composite document file + v2 document') >= 0 || val.Type.toLowerCase().indexOf('rfc 822 mail') >= + 0 || val.Extension == 'eml' && val.Type.toLowerCase().indexOf('ascii') >= + 0 && val.Type.toLowerCase().indexOf('crlf') >= 0).EntryID} + reputationcalc: 0 + separatecontext: false + view: |- + { + "position": { + "x": 265, + "y": 195 + } + } + "2": + id: "2" + taskid: 0dd910be-f198-4b5d-8dbb-8d7170049463 + type: regular + task: + id: 0dd910be-f198-4b5d-8dbb-8d7170049463 + version: -1 + name: Add original email details to context + description: "" + scriptName: Set + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "11" + scriptarguments: + append: {} + key: + simple: Email + value: + simple: '${inputs={To: val[''Email''], CC: val[''Email/cc''], From: val[''Email/from''], + Subject: val[''Email/subject''], Text: val[''Email/text''], HTML: val[''Email/html''], + Headers: val[''Email/headers''], Format: val[''Email/format'']}}' + reputationcalc: 2 + separatecontext: false + view: |- + { + "position": { + "x": 51, + "y": 370 + } + } + "3": + id: "3" + taskid: 4ac2b332-b76d-463e-824e-717895c5b644 + type: regular + task: + id: 4ac2b332-b76d-463e-824e-717895c5b644 + version: -1 + name: Add original email attachments to context + description: "" + scriptName: ParseEmailFiles + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "13" + scriptarguments: + entryid: + simple: ${inputs.File(val.Type.toLowerCase().indexOf('composite document file + v2 document') >= 0 || val.Type.toLowerCase().indexOf('rfc 822 mail') >= + 0 || val.Extension == 'eml' && val.Type.toLowerCase().indexOf('ascii') >= + 0 && val.Type.toLowerCase().indexOf('crlf') >= 0).EntryID} + reputationcalc: 0 + results: + - AttachmentName + separatecontext: false + view: |- + { + "position": { + "x": 480, + "y": 370 + } + } + "4": + id: "4" + taskid: be6f6daf-0497-423e-8a48-d669ccad567f + type: condition + task: + id: be6f6daf-0497-423e-8a48-d669ccad567f + version: -1 + name: Is there an HTML label in the email? + description: "" + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "6" + "yes": + - "5" + reputationcalc: 0 + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: general.isExists + left: + value: + complex: + root: Email + accessor: HTML + iscontext: true + view: |- + { + "position": { + "x": 265, + "y": 865 + } + } + "5": + id: "5" + taskid: 2373f9de-c13d-42ca-84be-8735743156e6 + type: regular + task: + id: 2373f9de-c13d-42ca-84be-8735743156e6 + version: -1 + name: Render HTML to an image + description: "" + script: Rasterize|||rasterize-email + type: regular + iscommand: true + brand: Rasterize + nexttasks: + '#none#': + - "15" + scriptarguments: + height: {} + htmlBody: + complex: + root: Email + accessor: HTML + type: {} + width: {} + reputationcalc: 0 + separatecontext: false + view: |- + { + "position": { + "x": 377.5, + "y": 1040 + } + } + "6": + id: "6" + taskid: dd0d5106-965e-4a81-8e67-79392ea47d7f + type: title + task: + id: dd0d5106-965e-4a81-8e67-79392ea47d7f + version: -1 + name: Done + description: "" + type: title + iscommand: false + brand: "" + reputationcalc: 0 + separatecontext: false + view: |- + { + "position": { + "x": 265, + "y": 1565 + } + } + "11": + id: "11" + taskid: 104966c4-8595-4a5a-8c75-c84f55e51c84 + type: title + task: + id: 104966c4-8595-4a5a-8c75-c84f55e51c84 + version: -1 + name: Advance features + description: "" + type: title + iscommand: false + brand: "" + nexttasks: + '#none#': + - "4" + reputationcalc: 0 + separatecontext: false + view: |- + { + "position": { + "x": 265, + "y": 720 + } + } + "13": + id: "13" + taskid: 42e12a9b-7195-44bc-8606-fce3495e3b04 + type: regular + task: + id: 42e12a9b-7195-44bc-8606-fce3495e3b04 + version: -1 + name: Set incident with the Email object data + description: "" + script: Builtin|||setIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "11" + scriptarguments: + addLabels: {} + app: {} + assetid: {} + attachmentcount: {} + attachmentextension: {} + attachmenthash: {} + attachmentid: {} + attachmentitem: {} + attachmentname: {} + attachmentsize: {} + attachmenttype: {} + backupowner: {} + bugtraq: {} + customFields: {} + cve: {} + cvss: {} + daysbetweenreportcreation: {} + dest: {} + destntdomain: {} + details: {} + duration: {} + emailbcc: + complex: + root: Email + accessor: BCC + transformers: + - operator: general.uniq + - operator: general.Stringify + emailbody: + complex: + root: Email + accessor: Text + transformers: + - operator: general.Stringify + emailbodyformat: {} + emailbodyhtml: + complex: + root: Email + accessor: HTML + transformers: + - operator: general.Stringify + emailcc: + complex: + root: Email + accessor: CC + transformers: + - operator: general.uniq + - operator: general.Stringify + emailclientname: {} + emailfrom: + complex: + root: Email + accessor: From + transformers: + - operator: general.uniq + - operator: general.Stringify + emailkeywords: {} + emailmessageid: {} + emailreceived: {} + emailreplyto: {} + emailreturnpath: {} + emailsenderip: {} + emailsize: {} + emailsource: {} + emailsubject: + complex: + root: Email + accessor: Subject + transformers: + - operator: general.uniq + - operator: general.Stringify + emailto: + complex: + root: Email + accessor: To + transformers: + - operator: general.uniq + - operator: general.Stringify + emailtocount: {} + emailurlclicked: {} + eventid: {} + falses: {} + fetchid: {} + fetchtype: {} + filehash: {} + filename: {} + filepath: {} + id: {} + important: {} + importantfield: {} + labels: {} + malwarefamily: {} + mdtest: {} + myfield: {} + name: {} + occurred: {} + owner: {} + phase: {} + replacePlaybook: {} + reporteduser: {} + roles: {} + screenshot: {} + screenshot2: {} + selector: {} + severity: {} + signature: {} + single: {} + single2: {} + sla: {} + source: {} + src: {} + srcntdomain: {} + srcuser: {} + systems: {} + test: {} + test2: {} + testfield: {} + timeassignedtolevel2: {} + timefield1: {} + timelevel1: {} + type: {} + user: {} + username: {} + vendorid: {} + vendorproduct: {} + vulnerabilitycategory: {} + reputationcalc: 2 + separatecontext: false + view: |- + { + "position": { + "x": 480, + "y": 545 + } + } + "14": + id: "14" + taskid: 89a7a856-46ff-46f6-8f1c-b2f772c12881 + type: regular + task: + id: 89a7a856-46ff-46f6-8f1c-b2f772c12881 + version: -1 + name: Set HTML Image custom field + description: Set the base64 of the rendered image to the custom field and the + Summary page + script: Builtin|||setIncident + type: regular + iscommand: true + brand: Builtin + nexttasks: + '#none#': + - "6" + scriptarguments: + addLabels: {} + app: {} + assetid: {} + attachmentcount: {} + attachmentextension: {} + attachmenthash: {} + attachmentid: {} + attachmentitem: {} + attachmentname: {} + attachmentsize: {} + attachmenttype: {} + backupowner: {} + bugtraq: {} + customFields: {} + cve: {} + cvss: {} + daysbetweenreportcreation: {} + dest: {} + destntdomain: {} + details: {} + duration: {} + emailbcc: {} + emailbody: {} + emailbodyformat: {} + emailbodyhtml: {} + emailcc: {} + emailclientname: {} + emailfrom: {} + emailkeywords: {} + emailmessageid: {} + emailreceived: {} + emailreplyto: {} + emailreturnpath: {} + emailsenderip: {} + emailsize: {} + emailsource: {} + emailsubject: {} + emailto: {} + emailtocount: {} + emailurlclicked: {} + eventid: {} + falses: {} + fetchid: {} + fetchtype: {} + filehash: {} + filename: {} + filepath: {} + htmlimage: + simple: '![HTML render](data:image/png;base64,${Base64.encoded})' + id: {} + important: {} + importantfield: {} + labels: {} + malwarefamily: {} + mdtest: {} + myfield: {} + name: {} + occurred: {} + owner: {} + phase: {} + replacePlaybook: {} + reporteduser: {} + roles: {} + screenshot: {} + screenshot2: {} + selector: {} + severity: {} + signature: {} + single: {} + single2: {} + sla: {} + source: {} + src: {} + srcntdomain: {} + srcuser: {} + systems: {} + test: {} + test2: {} + testfield: {} + timeassignedtolevel2: {} + timefield1: {} + timelevel1: {} + type: {} + user: {} + username: {} + vendorid: {} + vendorproduct: {} + vulnerabilitycategory: {} + reputationcalc: 0 + separatecontext: false + view: |- + { + "position": { + "x": 490, + "y": 1390 + } + } + "15": + id: "15" + taskid: 50661f40-4640-4b90-8f01-8143cec44c79 + type: condition + task: + id: 50661f40-4640-4b90-8f01-8143cec44c79 + version: -1 + name: Is there a base64 encoding for the rendered image? + description: "" + type: condition + iscommand: false + brand: "" + nexttasks: + '#default#': + - "6" + "yes": + - "14" + reputationcalc: 0 + separatecontext: false + conditions: + - label: "yes" + condition: + - - operator: general.isExists + left: + value: + simple: Base64.encoded + iscontext: true + view: |- + { + "position": { + "x": 377.5, + "y": 1215 + } + } +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 1580, + "width": 819, + "x": 51, + "y": 50 + } + } + } +inputs: +- key: File + value: + complex: + root: File + required: false + description: An EML or MSG file with +- key: Email + value: + complex: + root: incident + accessor: labels.Email + required: false + description: The receiving email address +- key: Email/cc + value: + complex: + root: incident + accessor: labels.CC + required: false + description: CC addresses +- key: Email/from + value: + complex: + root: incident + accessor: labels.Email/from + required: false + description: The originator of the email +- key: Email/subject + value: + complex: + root: incident + accessor: labels.Email/subject + required: false + description: The email’s subject +- key: Email/text + value: + complex: + root: incident + accessor: labels.Email/text + required: false + description: The email’s text +- key: Email/html + value: + complex: + root: incident + accessor: labels.Email/html + required: false + description: The emai’sl html +- key: Email/headers + value: + complex: + root: incident + accessor: labels.Email/headers + required: false + description: The email’s headers +- key: Email/format + value: + complex: + root: incident + accessor: labels.Email/format + required: false + description: The email’s format +outputs: +- contextPath: Email + description: Email object + type: unknown +- contextPath: Email.To + description: Email 'to' addresses + type: string +- contextPath: Email.CC + description: Email 'cc' addresses + type: string +- contextPath: Email.From + description: Email 'from' sender + type: string +- contextPath: Email.Subject + description: Email subject + type: string +- contextPath: Email.HTML + description: Email 'html' body if exists + type: string +- contextPath: Email.Text + description: Email 'text' body if exists + type: string +- contextPath: Email.Headers + description: The full email headers as a single string + type: string +- contextPath: Email.Attachments + description: The list of attachment names in the email + type: string +- contextPath: Email.Format + description: The format of the email if available + type: string diff --git a/TestPlaybooks/playbook-Get_Original_Email_-_EWS_-_Test.yml b/TestPlaybooks/playbook-Get_Original_Email_-_EWS_-_Test.yml new file mode 100644 index 000000000000..6b423b011fc9 --- /dev/null +++ b/TestPlaybooks/playbook-Get_Original_Email_-_EWS_-_Test.yml @@ -0,0 +1,129 @@ +id: get_original_email_-_ews-_test +version: -1 +name: Get Original Email - EWS - Test +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: d7920fee-8ada-4d48-8197-2e08d19a54dc + type: start + task: + id: d7920fee-8ada-4d48-8197-2e08d19a54dc + version: -1 + name: "" + iscommand: false + brand: "" + nexttasks: + '#none#': + - "1" + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 50 + } + } + note: false + "1": + id: "1" + taskid: 17e0dd57-f2a9-499e-833c-523e800ae647 + type: playbook + task: + id: 17e0dd57-f2a9-499e-833c-523e800ae647 + version: -1 + name: Get Original Email - EWS + description: |- + Use this playbook to retrieve the original email in the thread, including headers and attahcments, when the reporting user forwarded the original email not as an attachment. + + You must have the necessary permissions in the EWS integration to execute global search: eDiscovery + playbookName: Get Original Email - EWS + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "4" + scriptarguments: + InReplyTo: + simple: <8504be6f440847ce988eae64585c1012@WIN-MICMSOEE1BU.demisto.int> + Mailbox: + simple: demistoadmin@demisto.int + ThreadTopic: + simple: Attach Item + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + view: |- + { + "position": { + "x": 50, + "y": 195 + } + } + note: false + "3": + id: "3" + taskid: b52aade3-aa90-4343-8417-d4aa26803d62 + type: title + task: + id: b52aade3-aa90-4343-8417-d4aa26803d62 + version: -1 + name: Done + type: title + iscommand: false + brand: "" + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 545 + } + } + note: false + "4": + id: "4" + taskid: 83e29dbb-bf5e-41a3-82a4-f406d154aa14 + type: regular + task: + id: 83e29dbb-bf5e-41a3-82a4-f406d154aa14 + version: -1 + name: Verify context + scriptName: VerifyContext + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + expectedValue: {} + fields: {} + path: + simple: Email + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 370 + } + } + note: false +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 560, + "width": 380, + "x": 50, + "y": 50 + } + } + } +inputs: [] +outputs: [] diff --git a/TestPlaybooks/playbook-Get_Original_Email_-_Gmail_-_Test.yml b/TestPlaybooks/playbook-Get_Original_Email_-_Gmail_-_Test.yml new file mode 100644 index 000000000000..d72a637f5a62 --- /dev/null +++ b/TestPlaybooks/playbook-Get_Original_Email_-_Gmail_-_Test.yml @@ -0,0 +1,125 @@ +id: get_original_email_-_gmail_-_test +version: -1 +name: Get Original Email - Gmail - Test +starttaskid: "0" +tasks: + "0": + id: "0" + taskid: d7920fee-8ada-4d48-8197-2e08d19a54dc + type: start + task: + id: d7920fee-8ada-4d48-8197-2e08d19a54dc + version: -1 + name: "" + iscommand: false + brand: "" + nexttasks: + '#none#': + - "4" + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 50 + } + } + note: false + "3": + id: "3" + taskid: b52aade3-aa90-4343-8417-d4aa26803d62 + type: title + task: + id: b52aade3-aa90-4343-8417-d4aa26803d62 + version: -1 + name: Done + type: title + iscommand: false + brand: "" + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 545 + } + } + note: false + "4": + id: "4" + taskid: 62a376b7-ff93-4fd6-8a04-c21d9379046d + type: playbook + task: + id: 62a376b7-ff93-4fd6-8a04-c21d9379046d + version: -1 + name: Get Original Message - Gmail + playbookName: Get Original Email - Gmail + type: playbook + iscommand: false + brand: "" + nexttasks: + '#none#': + - "5" + scriptarguments: + EmailID: + simple: 1653783b47d78642 + From: + simple: admin@demistodev.com + User: + simple: shai@demistodev.com + separatecontext: true + loop: + iscommand: false + exitCondition: "" + wait: 1 + view: |- + { + "position": { + "x": 50, + "y": 195 + } + } + note: false + "5": + id: "5" + taskid: bccee3cc-846e-45ed-8f3d-eebf5c26049a + type: regular + task: + id: bccee3cc-846e-45ed-8f3d-eebf5c26049a + version: -1 + name: Verify context + scriptName: VerifyContext + type: regular + iscommand: false + brand: "" + nexttasks: + '#none#': + - "3" + scriptarguments: + expectedValue: {} + fields: {} + path: + simple: Email + separatecontext: false + view: |- + { + "position": { + "x": 50, + "y": 370 + } + } + note: false +view: |- + { + "linkLabelsPosition": {}, + "paper": { + "dimensions": { + "height": 560, + "width": 380, + "x": 50, + "y": 50 + } + } + } +inputs: [] +outputs: [] diff --git a/TestPlaybooks/playbook-Jask_Test.yml b/TestPlaybooks/playbook-Jask_Test.yml index 6246633a5604..be70e94c92a6 100644 --- a/TestPlaybooks/playbook-Jask_Test.yml +++ b/TestPlaybooks/playbook-Jask_Test.yml @@ -382,7 +382,7 @@ tasks: simple: "true" fields: {} path: - simple: Jask.Signal=>val.length == 10 + simple: Jask.Signal=>val.length >= 10 separatecontext: false view: |- { diff --git a/Tests/conf.json b/Tests/conf.json index 6abd5b8d4213..d3bf8f2c1bd3 100644 --- a/Tests/conf.json +++ b/Tests/conf.json @@ -2,6 +2,14 @@ "testTimeout": 160, "testInterval": 20, "tests": [ + { + "integrations": "Gmail", + "playbookID": "get_original_email_-_gmail_-_test" + }, + { + "integrations": "EWS v2", + "playbookID": "get_original_email_-_ews-_test" + }, { "playbookID": "test_delete_context" }, diff --git a/content_creator.py b/content_creator.py index a52c5b4fe35c..b0cb15bc2035 100644 --- a/content_creator.py +++ b/content_creator.py @@ -23,12 +23,14 @@ def is_ge_version(ver1, ver2): # fix the version to arrays of numbers - if isinstance(ver1, str): ver1 = [int(i) for i in ver1.split('.')] - if isinstance(ver2, str): ver2 = [int(i) for i in ver2.split('.')] + ver1 = [int(i) for i in str(ver1).split('.')] + ver2 = [int(i) for i in str(ver2).split('.')] for v1, v2 in zip(ver1, ver2): if v1 > v2: return False + elif v2 > v1: + return True # most significant values are equal return len(ver1) <= len(ver2)