Skip to main content

Process Email - Generic v2

This Playbook is part of the Phishing Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.1.0 and later.

Add email details to the relevant context entities and handle the case where original emails are attached.

Added on this v2 playbook:

  • Uses incident fields and not incident labels.
  • Provides separate paths to "Phishing Alerts".
  • Uses the new "Get Original Email - Generic v2" playbook to retrieve original emails as eml files for both EWS v2 and Microsoft Graph Mail integration. This will assist with parsing the email artifacts in a more efficient way.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Get Original Email - Generic v2


This playbook does not use any integrations.


  • SetGridField
  • Set
  • SetAndHandleEmpty
  • ParseEmailFiles
  • IdentifyAttachedEmail


  • rasterize-email
  • setIncident

Playbook Inputs#

NameDescriptionDefault ValueRequired
FileAn EML or MSG file.File.NoneOptional
EmailThe receiving email address.incident.emailtoOptional
EmailCCCC addresses.incident.emailccOptional
EmailFromThe originator of the email.incident.emailfromOptional
EmailSubjectThe email’s subject.incident.emailsubjectOptional
EmailTextThe email’s text.incident.emailbodyOptional
EmailHtmlThe email’s html.incident.emailhtmlOptional
EmailHeadersThe email’s headers.incident.phishingreporteremailheadersOptional
EmailFormatThe email’s format.incident.emailformatOptional
GetOriginalEmailRetrieve the original email in the thread. Default is "False".

You must have the necessary permissions in your email service to execute global search.

- EWS: eDiscovery
- Gmail: Google Apps Domain-Wide Delegation of Authority
- MSGraph: As described here:
MessageIDThe original email message id to retrieve. This should hold the value of the "Message-ID" header of the original email. This value will be passed as an input to the playbook "Get Original Email - Generic v2"Optional
UserIDThe user's email address for which to retrieve the original email. This value will be passed as an input to the playbook "Get Original Email - Generic v2".incident.emailfromOptional
Thread-TopicThe value of the "Thread-Topic" header which holds the original email subject. This is necessary for forwarded emails scenarios. It will be passed as an input to the "Get Original Email - Generic v2" playbook to be used in the relevant sub-playbooks.Optional

Playbook Outputs#

Email.HTMLEmail 'html' body if exists.string
EmailEmail object.string
Email.CCEmail 'cc' addresses.string
Email.FromEmail 'from' sender.string
Email.SubjectEmail subject.string
Email.ToEmail 'to' addresses.string
Email.TextEmail 'text' body if exists.string
Email.HeadersThe full email headers as a single string.string
Email.AttachmentsThe list of attachment names in the email.string
Email.FormatThe format of the email if available.string
FileThe File object.string

Playbook Image#

Process Email - Generic v2