Skip to main content

Process Email - Core

This Playbook is part of the Phishing Pack.#


Use Process Email - Core v2 instead.

Adds email details to the relevant context entities and handle the case where original emails are attached.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


  • Builtin


  • ParseEmailFiles
  • Set
  • IdentifyAttachedEmail


  • setIncident

Playbook Inputs#

NameDescriptionDefault ValueSourceRequired
FileThe EML or MSG file.NoneFileOptional
EmailThe receiving email addresslabels.EmailincidentOptional
Email/ccTHe CC addresses.labels.CCincidentOptional
Email/fromThe originator of the email.labels.Email/fromincidentOptional
Email/subjectThe email’s subject.labels.Email/subjectincidentOptional
Email/textThe email text.labels.Email/textincidentOptional
Email/htmlThe HTML version of the email.labels.Email/htmlincidentOptional
Email/headersThe email’s headers.labels.Email/headersincidentOptional
Email/formatThe email’s format.labels.Email/formatincidentOptional

Playbook Outputs#

Email.HTMLTHe Email "HTML" body, if it exists.string
EmailThe email object.unknown
Email.CCThe email "cc" addresses.string
Email.FromThe email "from" sender.string
Email.SubjectThe email subject.string
Email.ToThe email "to" addresses.string
Email.TextThe email "text" body, if it exists.string
Email.HeadersThe full email headers as a single string.string
Email.AttachmentsThe list of attachment names in the email.string
Email.FormatThe format of the email, if it is available.string
FileThe file object.unknown

Playbook Image#