Skip to main content

Process Email - Generic v2

This Playbook is part of the Phishing Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This playbook adds email details to the relevant context entities and handles original email attachments.

The v2 playbook enables parsing email artifacts more efficiently, including:

  • Using incident fields and not incident labels.
  • Providing separate paths to "Phishing Alerts".
  • Using the new "Get Original Email - Generic v2" playbook to retrieve original emails as EML files from the following integrations:
    • EWS v2
    • Microsoft Graph Mail integration
    • Gmail
    • FireEye EX and FireEye CM
    • Proofpoint Protection Server
    • Agari Phishing Defense (EWS v2, MSGraph Mail, Gmail)
    • Mimecast.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Get Original Email - Generic v2


This playbook does not use any integrations.


  • Set
  • ParseEmailFilesV2
  • SetAndHandleEmpty
  • SetGridField
  • IdentifyAttachedEmail


  • core-api-multipart
  • rasterize-email
  • setIncident

Playbook Inputs#

NameDescriptionDefault ValueRequired
FileAn EML or MSG file.FileOptional
EmailThe receiver email address.incident.emailtoOptional
EmailCCThe email CC addresses.incident.emailccOptional
EmailFromThe sender email address.incident.emailfromOptional
EmailSubjectThe email subject.incident.emailsubjectOptional
EmailTextThe email text.incident.emailbodyOptional
EmailHtmlThe email HTML.incident.emailhtmlOptional
EmailHeadersThe email headers.incident.phishingreporteremailheadersOptional
EmailFormatThe email format.incident.emailformatOptional
GetOriginalEmailRetrieves the original email in the thread.

You must have the necessary permissions in your email service to execute global search.

- For EWS: eDiscovery
- For Gmail: Google Apps Domain-Wide Delegation of Authority
- For MSGraph: As described in the [message-get API](\) and the [user-list-messages API](\)
MessageIDThe original email message ID to retrieve. Holds the value of the "Message-ID" header of the original email. This value is passed as an input to the "Get Original Email - Generic v2" playbook.incident.emailmessageidOptional
UserIDThe user's email address to retrieve the original email. This value is passed as an input to the "Get Original Email - Generic v2" playbook.incident.emailtoOptional
Thread-TopicThe value of the "Thread-Topic" header which holds the original email subject, needed for forwarded email scenarios. It is passed as an input to the "Get Original Email - Generic v2" playbook to use in the relevant sub-playbooks.incident.emailsubjectOptional
EmailBrandIf this value is provided, only the relevant playbook runs. If no value is provided, all sub-playbooks are run.
Possible values:
- Gmail
- EWS v2
- MicrosoftGraphMail
- EmailSecurityGateway
Choosing the EmailSecurityGateway executes the following if enabled: - FireEye EX (Email Security) - Proofpoint TAP - Mimecast.
EmailFileToExtractReported emails and emails retrieved during playbook execution can contain multiple nested email files. For example, an EML nested inside another EML file.
If multiple level files are detected, this field determines which file represents the phishing email.

For example:
User1 receives an email from Attacker. User1 attaches the email as an EML file and sends the email to User2.
User2 also attaches that email as a file, and reports it as phishing. In this case, the phishing email would be the "inner file" (as opposed to "outer file").

Possible values are: Inner file, Outer file, All files.
Inner file: The file at the deepest level is parsed. If there is only one file, that file is parsed.
Outer file: The file at the first level is parsed.
All files: All files are parsed. Do not use this option in the phishing playbook, as there should only be one phishing email per playbook run.
Inner fileOptional
UseOldHTMLFieldsThis input is used to preserve backward-compatibility. It determines whether the playbook should set email fields that are no longer being used in the out-of-the-box content.
If set to True, the playbook will save data into the the "Email Body HTML" and "Rendered HTML" incident fields as it did before.
If set to False, the playbook will not save data into those fields, and will simply be using the Email HTML field instead.
If you are ingesting large emails which are causing issues with large amounts of data being saved into incident fields, you should set the value to False.
We recommend setting the value to False unless you are certain that you need the "Email Body HTML" and "Rendered HTML" incident fields.

Playbook Outputs#

Email.HTMLThe email HTML body if it exists.string
EmailThe email object.string
Email.CCThe email CC addresses.string
Email.FromThe email sender address.string
Email.SubjectThe email subject.string
Email.ToThe email receiver addresses.string
Email.TextThe email text body if it exists.string
Email.HeadersThe full email headers as a single string.string
Email.AttachmentsThe list of attachment names in the email.string
Email.FormatThe format of the email if available.string
FileThe file object.string

Playbook Image#

Process Email - Generic v2