Skip to main content

Get Original Email - Generic v2

This Playbook is part of the Phishing Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This v2 playbook is used inside the phishing flow. The inputs in this version do not use labels and also allow the user to supply an email brand. Note: You must have the necessary permissions in your email service to execute a global search.

To retrieve the email files directly from the email service providers, use one of the provided inputs (Agari Phishing Defense customers should also use the following):

  • EWS: eDiscovery
  • Gmail: Google Apps Domain-Wide Delegation of Authority
  • MSGraph: As described in the message-get API and the user-list-messages API
  • EmailSecurityGateway retrieves EML files from:
    • FireEye EX
    • FireEye CM
    • Proofpoint Protection Server
    • Mimecast


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Get Original Email - EWS v2
  • Get Original Email - Gmail v2
  • Get Email From Email Gateway - Generic
  • Get Original Email - Microsoft Graph Mail


This playbook does not use any integrations.


This playbook does not use any scripts.


This playbook does not use any commands.

Playbook Inputs#

NameDescriptionDefault ValueRequired
MessageIDThe original email message ID to retrieve. This should hold the value of the "Message-ID" header of the original email.Optional
UserIDThe email address of the user to fetch the original email for. For Gmail, the authenticated user.Optional
EmailSubjectThe original email subject.Optional
EmailBrandIf this value is provided, only the relevant playbook runs. If no value is provided, all sub-playbooks are run.
Possible values:
- Gmail
- EWS v2
- EWSO365
- MicrosoftGraphMail
- EmailSecurityGateway

Choosing EmailSecurityGateway executes the following if enabled:
- FireEye EX (Email Security)
- Proofpoint TAP
- Mimecast

Playbook Outputs#

EmailThe email object.string
FileThe original email attachments.string
Email.ToThe email recipient.string
Email.FromThe email sender.string
Email.CCThe CC address of the email.string
Email.BCCThe BCC address of the email.string
Email.HTMLThe email HTML.string
Email.BodyThe email text body.string
Email.HeadersThe email headers.string
Email.SubjectThe email subject.string
Email.HeadersMapThe email headers map.string
reportedemailentryidIf the original EML was retrieved, this field holds the file's Entry ID.string

Playbook Image#

Get Original Email - Generic v2