Mail Listener v2

Overview


Listens to a mailbox and enables incident triggering via e-mail.


Configure Mail Listener v2 on XSOAR


  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Mail Listener v2.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • Fetch incidents: Whether to fetch incidents or not
    • MailServerURL: Mail Server Hostname / IP address
    • port: IMAP Port
    • credentials: Username and password
    • folder: Incoming mail folder
    • permittedFromAdd: Fetch mails from these senders addresses only (eg. admin@demo.com,test@demo.com)
    • first_fetch: First fetch time (\<number> \<time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)
    • limit: The maximum number of incidents to fetch each time
    • delete_processed: Delete processed emails
    • Include_raw_body: Include raw body in incidents
    • save_file: Save the email .eml file
    • TLS_connection: Use TLS for connection (defaults to True)
    • insecure: Trust any certificate (not secure)
    • incidentFetchInterval: Incidents Fetch Interval
  4. Click Test to validate the connection and the authentication.

Commands:

  1. mail-listener-list-emails
  2. mail-listener-get-email
  3. mail-listener-get-email-as-eml

1. mail-listener-list-emails


Fetches mails according to the configuration

Base Command

mail-listener-list-emails

Input

There are no input arguments for this command.

Context Output

PathTypeDescription
MailListener.EmailPreview.SubjectStringThe subject of the mail
MailListener.EmailPreview.DateDateThe date when the mail was recived
MailListener.EmailPreview.ToStringThe recipient of the mail
MailListener.EmailPreview.FromStringThe sender of the mail
MailListener.EmailPreview.IDstringThe ID of the mail

Command Example

!mail-listener-list-emails

Context Example

{
"MailListener": {
"EmailPreview": {
"Date": "2020-08-12T11:13:35+00:00",
"From": "test@demistodev.com",
"ID": 65445,
"Subject": "foooSubject",
"To": [
"test@demistodev.com"
]
}
}
}

Human Readable Output

Results

DateFromIDSubjectTo
2020-08-12T11:13:35+00:00test@demistodev.com65445foooSubjecttest@demistodev.com

2. mail-listener-get-email


Fetches an email by email ID

Base Command

mail-listener-get-email

Input

Argument NameDescriptionRequired
message-idMessage ID as fetched in 'mail-listener-list-emails' commandRequired

Context Output

PathTypeDescription
MailListener.Email.toStringThe recipients of the mail
MailListener.Email.ccStringThe mail's cc
MailListener.Email.bccStringThe mail's bcc
MailListener.Email.fromStringThe sender of the mail
MailListener.Email.formatStringThe format of the mail
MailListener.Email.textStringThe plain text of the mail
MailListener.Email.HTMLStringThe HTML display of the mail if exists
MailListener.Email.subjectStringThe subject of the mail
MailListener.Email.attachmentsStringThe attachments of the mail if exists
MailListener.Email.headersStringThe headers of the mail

Command Example

!mail-listener-get-email message-id=65445

Context Example

{
"MailListener": {
"Email": {
"attachments": [],
"bcc": "",
"cc": "",
"format": "text/plain",
"from": "test@demistodev.com",
"headers": {
"Content-Transfer-Encoding": "quoted-printable",
"Content-Type": "text/plain; charset=UTF-8",
"Date": "Wed, 12 Aug 2020 11:13:35 +0000",
"From": "test@demistodev.com",
"Message-ID": "<5f33cedf.1c69fb81.e5562.38a5@mx.google.com>",
"Mime-Version": "1.0",
"Received": "from localhost (13.100.68.34.bc.googleusercontent.com. [192.0.0.1])\r\n by smtp.gmail.com with ESMTPSA id t5sm917197ilp.15.2020.08.12.04.13.35\r\n for <test@demistodev.com>\r\n (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);\r\n Wed, 12 Aug 2020 04:13:35 -0700 (PDT)",
"Return-Path": "<test@demistodev.com>",
"Subject": "foooSubject",
"To": "test@demistodev.com",
"X-Google-Original-From": "koko@demisto.com"
},
"rawHeaders": "Return-Path: <test@demistodev.com>\nReceived: from localhost (13.100.68.34.bc.googleusercontent.com. [34.68.100.13])\r\n by smtp.gmail.com with ESMTPSA id t5sm917197ilp.15.2020.08.12.04.13.35\r\n for <test@demistodev.com>\r\n (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);\r\n Wed, 12 Aug 2020 04:13:35 -0700 (PDT)\nMessage-ID: <5f33cedf.1c69fb81.e5562.38a5@mx.google.com>\nFrom: test@demistodev.com\nX-Google-Original-From: koko@demisto.com\nMime-Version: 1.0\nDate: Wed, 12 Aug 2020 11:13:35 +0000\nTo: test@demistodev.com\nSubject: foooSubject\nContent-Type: text/plain; charset=UTF-8\nContent-Transfer-Encoding: quoted-printable",
"subject": "foooSubject",
"text": "foooBody",
"to": "test@demistodev.com"
}
}
}

Human Readable Output

Results

attachmentsbccccformatfromheadersrawHeaderssubjecttextto
text/plaintest@demistodev.comReturn-Path: test@demistodev.com
Received: from localhost (13.100.68.34.bc.googleusercontent.com. [34.68.100.13])
by smtp.gmail.com with ESMTPSA id t5sm917197ilp.15.2020.08.12.04.13.35
for test@demistodev.com
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Wed, 12 Aug 2020 04:13:35 -0700 (PDT)
Message-ID: 5f33cedf.1c69fb81.e5562.38a5@mx.google.com
From: test@demistodev.com
X-Google-Original-From: koko@demisto.com
Mime-Version: 1.0
Date: Wed, 12 Aug 2020 11:13:35 +0000
To: test@demistodev.com
Subject: foooSubject
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Return-Path: test@demistodev.com
Received: from localhost (13.100.68.34.bc.googleusercontent.com. [34.68.100.13])
by smtp.gmail.com with ESMTPSA id t5sm917197ilp.15.2020.08.12.04.13.35
for test@demistodev.com
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Wed, 12 Aug 2020 04:13:35 -0700 (PDT)
Message-ID: 5f33cedf.1c69fb81.e5562.38a5@mx.google.com
From: test@demistodev.com
X-Google-Original-From: koko@demisto.com
Mime-Version: 1.0
Date: Wed, 12 Aug 2020 11:13:35 +0000
To: test@demistodev.com
Subject: foooSubject
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
foooSubjectfoooBodytest@demistodev.com

3. mail-listener-get-email-as-eml


Fetches an email by message ID and download it's eml file

Base Command

mail-listener-get-email-as-eml

Input

Argument NameDescriptionRequired
message-idMessage ID as fetched in 'mail-listener-list-emails' commandRequired

Context Output

There is no context output for this command.

Command Example

!mail-listener-get-email-as-eml message-id=65445

Context Example

{
"File": {
"EntryID": "1276@97a9b81e-928e-4c93-80bc-2729ca35cb1c",
"Extension": "eml",
"Info": "message/rfc822",
"MD5": "4411c30b672dd8fee62d332c970e07bb",
"Name": "original-email-file.eml",
"SHA1": "1713dc8369f89bc1c3f665eeffc3a2b7de4c2f7b",
"SHA256": "d6e145175a9abd9b51f3af71a6a4971ec922888addd2f96cdd484c52ff6fcb43",
"SHA512": "0b4af9cd6899e15fcbb3fbdde4592ccd44f681769c554afd437214984cdc254923167563e6d7b763bb96cc3de40f684e9852ec2617ba90efdf6d9342564dddfd",
"SSDeep": "12:k11sxpBGVTdLS4NuFWsRqzR2kAmM4YTxXX6oFTrYQWptR9zHxXARx2mi7xoQFQ0f:SydGVTdLS4cJGRzCT96odcpHR2x2milL",
"Size": 680,
"Type": "SMTP mail text, ASCII text, with CRLF line terminators"
}
}