Skip to main content

Process Email - Core v2

This Playbook is part of the Phishing Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This playbook adds email details to the relevant context entities and handles the case where original emails are attached.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


This playbook does not use any integrations.


  • IdentifyAttachedEmail
  • Set
  • SetAndHandleEmpty
  • SetGridField
  • ParseEmailFiles


  • setIncident

Playbook Inputs#

NameDescriptionDefault ValueRequired
FileAn EML or MSG file.FileOptional
EmailThe receiving email address.incident.emailtoOptional
EmailCCCC addressesincident.emailccOptional
EmailFromThe originator of the email.incident.emailfromOptional
EmailSubjectThe email subject.incident.emailsubjectOptional
EmailTextThe email text.incident.emailbodyOptional
EmailHtmlThe HTML version of the email.incident.emailhtmlOptional
EmailHeadersThe email headers.incident.emailheadersOptional
EmailFormatThe email format.incident.emailformatOptional

Playbook Outputs#

Email.HTMLThe email HTML body, if it exists.string
EmailThe email object.unknown
Email.CCThe email CC addresses.string
Email.FromThe email 'from' sender.string
Email.SubjectThe email subject.string
Email.ToThe email 'to' addresses.string
Email.TextThe email text body, if it exists.string
Email.HeadersThe full email headers as a single string.string
Email.AttachmentsThe list of attachment names in the email.string
Email.FormatThe format of the email, if available.string
FileThe file object.unknown

Playbook Image#

Process Email - Core v2