Skip to main content

Process Email - Generic v2

This Playbook is part of the Phishing Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This playbook adds email details to the relevant context entities and handles original email attachments.

The v2 playbook enables parsing email artifacts more efficiently, including:

  • Using incident fields and not incident labels.
  • Providing separate paths to "Phishing Alerts".
  • Using the new "Get Original Email - Generic v2" playbook to retrieve original emails as EML files from the following integrations:
    • EWS v2
    • Microsoft Graph Mail integration
    • Gmail
    • FireEye EX and FireEye CM
    • Proofpoint Protection Server
    • Agari Phishing Defense (EWS v2, MSGraph Mail, Gmail)
    • Mimecast


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Get Original Email - Generic v2


This playbook does not use any integrations.


  • ParseEmailFiles
  • Set
  • SetGridField
  • IdentifyAttachedEmail
  • SetAndHandleEmpty


  • setIncident
  • rasterize-email

Playbook Inputs#

NameDescriptionDefault ValueRequired
FileAn EML or MSG file.File.NoneOptional
EmailThe receiver email address.incident.emailtoOptional
EmailCCThe email CC addresses.incident.emailccOptional
EmailFromThe sender email address.incident.emailfromOptional
EmailSubjectThe email subject.incident.emailsubjectOptional
EmailTextThe email text.incident.emailbodyOptional
EmailHtmlThe email HTML.incident.emailhtmlOptional
EmailHeadersThe email headers.incident.phishingreporteremailheadersOptional
EmailFormatThe email format.incident.emailformatOptional
GetOriginalEmailRetrieves the original email in the thread.

You must have the necessary permissions in your email service to execute global search.

- For EWS: eDiscovery
- For Gmail: Google Apps Domain-Wide Delegation of Authority
- For MSGraph: As described in the [message-get API](\) and the [user-list-messages API](\)
MessageIDThe original email message ID to retrieve. Holds the value of the "Message-ID" header of the original email. This value is passed as an input to the "Get Original Email - Generic v2" playbook.incident.emailmessageidOptional
UserIDThe user's email address to retrieve the original email. This value is passed as an input to the "Get Original Email - Generic v2" playbook.incident.emailtoOptional
Thread-TopicThe value of the "Thread-Topic" header which holds the original email subject, needed for forwarded email scenarios. It is passed as an input to the "Get Original Email - Generic v2" playbook to use in the relevant sub-playbooks.incident.emailsubjectOptional
EmailBrandIf this value is provided, only the relevant playbook runs. If no value is provided, all sub-playbooks are run. Possible values: - Gmail - EWS v2 - MicrosoftGraphMail - EmailSecurityGateway
Choosing the EmailSecurityGateway executes the following if enabled: - FireEye EX (Email Security) - Proofpoint TAP - Mimecast.

Playbook Outputs#

Email.HTMLThe email HTML body if it exists.string
EmailThe email object.string
Email.CCThe email CC addresses.string
Email.FromThe email sender address.string
Email.SubjectThe email subject.string
Email.ToThe email receiver addresses.string
Email.TextThe email text body if it exists.string
Email.HeadersThe full email headers as a single string.string
Email.AttachmentsThe list of attachment names in the email.string
Email.FormatThe format of the email if available.string
FileThe file object.string

Playbook Image#

Process Email - Generic v2