topic Re: Extract Domains from Phishing Attached Email in Cortex XSOAR Discussions

Extract Domains from Phishing Attached Email

bzahran — Sat, 29 Oct 2022 13:31:13 GMT

Hi Team,

I hope all are doing well; how can I extract the domains from the phishing attached files?

I extracted the email using " ParseEmailFilesV2 "; exported all the email parameters such as HTML and others successfully; however, once I tried to convert HTML XML output to JSON using "ConvertXmlToJson" automation, it did not work as expected.

I need to convert HTML - XML format to JSON with all domains available to be appended; any idea, team, how I can achieve it?

Thanks

Basel

Re: Extract Domains from Phishing Attached Email

ivandijk — Wed, 02 Nov 2022 08:56:13 GMT

Hi Basel,

If you run the ParseEmailFilesV2 automation with the "auto-extract=inline" argument, all domains will be extracted from the email too, into the ${Domain.Name} context.

Alternatively you can also run "extractIndicators" on the ${Email} key (after running ParseEmailFilesV2), then the domains will be extracted under ${ExtractedIndicators.Domain}. Attached an example:

Regarding the conversion, I'm not sure what XML you are referring to, we would need to see the XML, the command you ran, the expected result and the actual result.

Let me know if that helps.

Re: Extract Domains from Phishing Attached Email

nikoolayy1 — Mon, 07 Nov 2022 15:06:48 GMT

I never knew there were so many premade parsing scripts. @ivandijk is right about this. Better try ParseEmailFilesV2 as Ivan mentioned but there is an old one on python2 just in case but python2 is just supported for existing scripts and intergrations so you may not create a new script using the original one https://xsoar.pan.dev/docs/integrations/code-conventions so better use the V2.

Re: Extract Domains from Phishing Attached Email

bzahran — Wed, 23 Nov 2022 14:08:20 GMT

Thanks a lot, Team, I used ParseEmailFilesV2 and everything looks perfect