- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-17-2023 05:00 AM
I'm currently using EWSv2 to listen to emails and have a classifier as well for fixed subjects. Is there a approach that I can use to take a part of an email subject to classify emails?
As an example:
Email Subject 1: Incident#1213131
Email Subject 2: Incident#3234234
Should be classified in "Incidents"
03-19-2023 11:04 PM - edited 03-19-2023 11:05 PM
Regex is the cause of, and solution to, all problems You can still use this technique, you'll just need a slightly more complex transformer, like the attached sample.
In the end, if you need logic that's too advanced for regex you could write your own transformer in python to output the value you need given specific input. Transformers are just Automations with specific tags to make them show up in the right places.
StripChars is a nice, simple example of a transformer included in the Filters and Transformers pack that you could use for reference if you need to go this way.
03-19-2023 12:01 AM
What about the scripts https://xsoar.pan.dev/docs/reference/playbooks/process-email---generic-v2 or https://xsoar.pan.dev/docs/reference/scripts/parse-email-files (use v2 https://xsoar.pan.dev/docs/reference/scripts/parse-email-files-v2 )? They use the eml files that you should get from EWSv2 .
By just playing around and testing this should be possible.
03-19-2023 05:37 PM
In your classifier, use a transformer to extract only the part of the email subject you want to classify based on.
In this example, I have a (randomly generated demo data) username which is always a first.last name pair. The regex extracts everything after the period, and the classification options you get show only the last name.
03-19-2023 10:33 PM
Thank you for the reply, however EWS instance pulls emails as incidents already so I was looking something on the preprocessor/Classifier level.
03-19-2023 10:41 PM
Thank you for your reply, this was something new that I learned but what if the scenario is I have multiple formats as an example.
Email Subject 1: Incident#1213131
Email Subject 2: Incident#3234234
Should be classified in "Incidents"
and
Email Subject: IOCs
Should be classified as "IOC"
03-19-2023 11:04 PM - edited 03-19-2023 11:05 PM
Regex is the cause of, and solution to, all problems You can still use this technique, you'll just need a slightly more complex transformer, like the attached sample.
In the end, if you need logic that's too advanced for regex you could write your own transformer in python to output the value you need given specific input. Transformers are just Automations with specific tags to make them show up in the right places.
StripChars is a nice, simple example of a transformer included in the Filters and Transformers pack that you could use for reference if you need to go this way.
03-21-2023 11:15 AM
Thanks man, you are a genius 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!