Skip to main content

Process Email - Generic

This Playbook is part of the Phishing Pack.#


Use Process Email - Generic v2 instead.

This playbook adds email details to the relevant context entities and handles original email attachments.


This playbook uses the following sub-playbooks, integrations, and scripts.


Get Original Email - Generic


This playbook does not use any integrations.


  • SetAndHandleEmpty
  • ParseEmailFiles
  • Set
  • IdentifyAttachedEmail
  • SetGridField


  • rasterize-email
  • setIncident

Playbook Inputs#

NameDescriptionDefault ValueRequired
FileAn EML or MSG file.FileOptional
EmailThe receiving email address.incident.labels.EmailOptional
Email/ccThe CC addresses.incident.labels.CCOptional
Email/fromThe originator of the email.incident.labels.Email/fromOptional
Email/subjectThe email subject.incident.labels.Email/subjectOptional
Email/textThe email text.incident.labels.Email/textOptional
Email/htmlThe email HTML.incident.labels.Email/htmlOptional
Email/headersThe email headers.incident.labels.Email/headersOptional
Email/formatThe email format.incident.labels.Email/formatOptional
GetOriginalEmailRetrieves the original email in the thread.

You must have the necessary permissions in your email service to execute global search.
- EWS: eDiscovery
- Gmail: Google Apps Domain-Wide Delegation of Authority

Playbook Outputs#

Email.HTMLThe email HTML body if it exists.string
EmailThe email object.unknown
Email.CCThe email CC addresses.string
Email.FromThe email from sender.string
Email.SubjectThe email subject.string
Email.ToThe email to addresses.string
Email.TextThe email text body if exists.string
Email.HeadersThe full email headers as a single string.string
Email.AttachmentsThe list of attachment names in the email.string
Email.FormatThe email format if available.string
FileThe file object.unknown

Playbook Image#

Process Email - Generic