- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-04-2023 01:33 PM
Hello all,
Is there a way to add attachments to an email that is sent using the ask by email function under the data collection option? I am trying to link evidence to a case so the end user can view the evidence and then make decisions based off of it? I have tried editing the html to add links to the body, but that doesn't work unless they have the proper permissions to download the file from XSOAR. Using the send-mail API doesn't give a lot of customization options.
Thanks!
04-11-2023 12:44 PM
Hi @JacobCromly ,
That is a very interesting use case. Firstly, there is no way to attach a file to a data collection task at this time. However, I would like to share a recommendations with you. In the Questions tab, Question argument, you will see a {} that allows you to pick a variable input. You can choose "Evidence Board URL" to add a link to the Evidence Board (See screenshot attached)
Please let me know if that works. I also encourage you to check out our AHA portal to submit this as a Feature Request
04-11-2023 01:35 PM
Hello @JacobCromly, for this scenario, we have the option to use the EmailAskUser workflow. You can read more about it in our documentation here below:
https://xsoar.pan.dev/docs/reference/scripts/email-ask-user
On a high level, this works by sending an email to a user, waiting for the response to come back and routing the response back to the original incident. The response can then be used to control the execution flow in the playbook. With this method we have the option to attach incident files and artifacts to the email using the argument attachIds. The Id's are the corresponding EntryIDs of the files in your incident.
Here's how you would use this method in your playbook (see screenshots below for additional context):
1. Create a task with EmailAskUser automation. In this task you specify the recipient, the subject line, the different reply options, the EntryID (s) of the file (s) you want to attach and the tag of the next task you want to complete once the response is received.
2. Create a manual task with a tag corresponding to the previous task. This task will keep the playbook in waiting state until the response is received.
3. Create a conditional task with EmailAskUserResponse automation and with ${lastCompletedTaskEntries} as input.
4. Create a branch for each possible response. The response will be parsed from the first textual response line of the reply body.
Notes:
1. This method will require a email integration that can both send emails using send-mail and fetch incidents.
2. This method will not work in the Playbook debugger.
3. Be advised that the incidents can contain malicious files and artifacts and these should handled with caution to avoid getting infected.
04-12-2023 06:20 AM
Thank you for the responses, I ended up going a different route about this and I am going to share my solution in case anyone else has this same use case. I ended up using the send-mail using Microsoft Graph API, which allows me to send it from any email, add attachments, and put the link wherever I want on the form. I did this by creating the link before sending the email out to anyone using this algorithm, that follows how the link is created in the first place. First is the hxxp://(externalhostname)/#/external/form/(incidentid@taskid base 64 encoded then hexadecimal encoded)/(email that you are sending it to base64 encoded then hexadecimal encoded). This is a work around for now that allows me to customize the email, hopefully making it more likely that people respond. I was also able to create my own "reminder" automation that works well with the survey. I appreciate the suggestions though!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!