Parse email attaachement using EWS V2 Extension

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Parse email attaachement using EWS V2 Extension

L1 Bithead

Hi all,
actually i am configuring an abuse email box that will receive all email that are suspected to be a phishing email,
actually when we send the suspected email as en EML attachement to the abuse email box that is alredy configured via EWS instance, we cannot find the orginial message parsed via mapping editor,
we only find the attachement file name like mentionned in the capture and the content of the eml file as a value for  the 'mime_conent' key (not parsed) ,
so how we can make modification of the contextual data, to add the attachement email info (sender recepient , content etc .. ) to the json data


Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.

L3 Networker

There's a pre-built playbook, "Process Email - Generic v2" from the Phishing pack which has logic for this that might be useful for reference. In the end, that's basically a fancy wrapper for the ParseEmailFiles automation so if that playbook is too far away from what you need you could always use the automation directly.

L1 Bithead

Hi Chrkin,
thanks for your feedback, actually i am testing this playbook, but i face a problem with Set commande, i face this error:

---- Error Message
February 15, 2023 11:23 AM
Scripts returned an error
#44: Set reported email origin (attached)
!Set key="ReportedEmailOrigin" value="Attached" stringify="false"
Error from Scripts is : Script failed to run: open /usr/local/demisto/res/_script_template.js: no such file or directory (2603)

i think that there is a misconfiguration or incompatibility with Set Commande,
i there any workaround?
i test the same commande in another playbook, but always i face the same problem,
you find the error in the screenshot


This looks like an issue with your installation, rather than anything wrong with the automation/playbook itself. I'd suggest checking out your /usr/local/demisto/res directory to make sure that it (and the referenced file) still exists, and that the demisto group has ownership of these files.

Hi Chrking,
i already check it, the file does not exist, i will open a case, do you know this package "demisto" is it related to specific module that need to be reinstalled?

"demisto" is the previous name for XSOAR, before it was acquired by Palo Alto. It's still used in lots of places. The _script_template files are part of the base install and not any marketplace package AFAIK.

  • 5 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!