https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/email-classification-with-subject/m-p/535005#M1914 <P>Thank you for your reply, this was something new that I learned but what if the scenario is I have multiple formats as an example.</P> <P>&nbsp;</P> <P>Email Subject 1: Incident#1213131&nbsp;</P> <P>Email Subject 2: Incident#3234234</P> <P>Should be classified in "Incidents"&nbsp;</P> <P>&nbsp;</P> <P>and</P> <P>&nbsp;</P> <P>Email Subject: IOCs</P> <P>Should be classified as "IOC"</P> Mon, 20 Mar 2023 05:41:12 GMT vidurasupun 2023-03-20T05:41:12Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/email-classification-with-subject/m-p/534838#M1905 <P>I'm currently using EWSv2 to listen to emails and have a classifier as well for fixed subjects. Is there a approach that I can use to take a part of an email subject to classify emails?</P> <P>&nbsp;</P> <P>As an example:</P> <P>Email Subject 1: Incident#1213131&nbsp;</P> <P>Email Subject 2: Incident#3234234</P> <P>Should be classified in "Incidents"&nbsp;</P> Fri, 17 Mar 2023 12:00:27 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/email-classification-with-subject/m-p/534838#M1905 vidurasupun 2023-03-17T12:00:27Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/email-classification-with-subject/m-p/534963#M1910 <P>What about the scripts <A href="https://xsoar.pan.dev/docs/reference/playbooks/process-email---generic-v2" target="_blank">https://xsoar.pan.dev/docs/reference/playbooks/process-email---generic-v2</A> or <A href="https://xsoar.pan.dev/docs/reference/scripts/parse-email-files" target="_blank">https://xsoar.pan.dev/docs/reference/scripts/parse-email-files</A> (use v2 <A href="https://xsoar.pan.dev/docs/reference/scripts/parse-email-files-v2" target="_blank">https://xsoar.pan.dev/docs/reference/scripts/parse-email-files-v2</A> )? They use the eml files that you should get from EWSv2 .</P> <P>&nbsp;</P> <P>By just playing around and testing this should be possible.</P> Sun, 19 Mar 2023 07:01:51 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/email-classification-with-subject/m-p/534963#M1910 nikoolayy1 2023-03-19T07:01:51Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/email-classification-with-subject/m-p/534980#M1912 <P>In your classifier, use a transformer to extract only the part of the email subject you want to classify based on.</P> <P>&nbsp;</P> <P>In this example, I have a (randomly generated demo data) username which is always a first.last name pair. The regex extracts everything after the period, and the classification options you get show only the last name.</P> Mon, 20 Mar 2023 00:37:09 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/email-classification-with-subject/m-p/534980#M1912 chrking 2023-03-20T00:37:09Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/email-classification-with-subject/m-p/535003#M1913 <P>Thank you for the reply, however EWS instance pulls emails as incidents already so I was looking something on the preprocessor/Classifier level.</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 20 Mar 2023 05:33:21 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/email-classification-with-subject/m-p/535003#M1913 vidurasupun 2023-03-20T05:33:21Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/email-classification-with-subject/m-p/535005#M1914 <P>Thank you for your reply, this was something new that I learned but what if the scenario is I have multiple formats as an example.</P> <P>&nbsp;</P> <P>Email Subject 1: Incident#1213131&nbsp;</P> <P>Email Subject 2: Incident#3234234</P> <P>Should be classified in "Incidents"&nbsp;</P> <P>&nbsp;</P> <P>and</P> <P>&nbsp;</P> <P>Email Subject: IOCs</P> <P>Should be classified as "IOC"</P> Mon, 20 Mar 2023 05:41:12 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/email-classification-with-subject/m-p/535005#M1914 vidurasupun 2023-03-20T05:41:12Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/email-classification-with-subject/m-p/535006#M1915 <P>Regex is the cause of, and solution to, all problems ‌‌&nbsp;You can still use this technique, you'll just need a slightly more complex transformer, like the attached sample.</P> <P><BR />In the end, if you need logic that's too advanced for regex you could write your own transformer in python to output the value you need given specific input. Transformers are just Automations with specific tags to make them show up in the right places.</P> <P>StripChars&nbsp;is a nice, simple example of a transformer included in the Filters and Transformers pack that you could use for reference if you need to go this way.</P> Mon, 20 Mar 2023 06:05:40 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/email-classification-with-subject/m-p/535006#M1915 chrking 2023-03-20T06:05:40Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/email-classification-with-subject/m-p/535255#M1921 <P>Thanks man, you are a genius <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 21 Mar 2023 18:15:11 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/email-classification-with-subject/m-p/535255#M1921 vidurasupun 2023-03-21T18:15:11Z