Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Email Classification with Subject

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Email Classification with Subject

L2 Linker

I'm currently using EWSv2 to listen to emails and have a classifier as well for fixed subjects. Is there a approach that I can use to take a part of an email subject to classify emails?

 

As an example:

Email Subject 1: Incident#1213131 

Email Subject 2: Incident#3234234

Should be classified in "Incidents" 

1 accepted solution

Accepted Solutions

Regex is the cause of, and solution to, all problems ‌‌ You can still use this technique, you'll just need a slightly more complex transformer, like the attached sample.


In the end, if you need logic that's too advanced for regex you could write your own transformer in python to output the value you need given specific input. Transformers are just Automations with specific tags to make them show up in the right places.

StripChars is a nice, simple example of a transformer included in the Filters and Transformers pack that you could use for reference if you need to go this way.

View solution in original post

6 REPLIES 6

L6 Presenter

What about the scripts https://xsoar.pan.dev/docs/reference/playbooks/process-email---generic-v2 or https://xsoar.pan.dev/docs/reference/scripts/parse-email-files (use v2 https://xsoar.pan.dev/docs/reference/scripts/parse-email-files-v2 )? They use the eml files that you should get from EWSv2 .

 

By just playing around and testing this should be possible.

L3 Networker

In your classifier, use a transformer to extract only the part of the email subject you want to classify based on.

 

In this example, I have a (randomly generated demo data) username which is always a first.last name pair. The regex extracts everything after the period, and the classification options you get show only the last name.

Thank you for the reply, however EWS instance pulls emails as incidents already so I was looking something on the preprocessor/Classifier level.

 

 

Thank you for your reply, this was something new that I learned but what if the scenario is I have multiple formats as an example.

 

Email Subject 1: Incident#1213131 

Email Subject 2: Incident#3234234

Should be classified in "Incidents" 

 

and

 

Email Subject: IOCs

Should be classified as "IOC"

Regex is the cause of, and solution to, all problems ‌‌ You can still use this technique, you'll just need a slightly more complex transformer, like the attached sample.


In the end, if you need logic that's too advanced for regex you could write your own transformer in python to output the value you need given specific input. Transformers are just Automations with specific tags to make them show up in the right places.

StripChars is a nice, simple example of a transformer included in the Filters and Transformers pack that you could use for reference if you need to go this way.

Thanks man, you are a genius 🙂

  • 1 accepted solution
  • 3119 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!