DeleteReportedEmail
This Script is part of the Phishing Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.1.0 and later.
A script for deleting reported phishing emails from the mailbox in which they were reported.
Note#
The script was specifically developed for use by the Delete Reported Email layout on the Phishing - Generic v3 playbook, and should not be used elsewhere.
Script Data#
| Name | Description |
|---|---|
| Script Type | python3 |
| Tags | basescript |
| Cortex XSOAR Version | 6.1.0 |
Inputs#
| Argument Name | Description |
|---|---|
| delete_type | The type of deletion - soft allows restoring, hard doesn't. Not relevant for O365 and Search & Compliance. |
| delete_from_brand | The brand for which to delete this email from. The default value is the incident using the brand. |
| search_name | Argument used for the generic polling flow within the security and compliance search. |
| polling | Use the Cortex XSOAR built-in polling to retrieve the result when it's ready. |
| interval_in_seconds | Interval in seconds between each poll. |
Outputs#
| Path | Description | Type |
|---|---|---|
| DeleteReportedEmail.result | Whether the deletion operation was successful, skipped, or failed | String |
| DeleteReportedEmail.deletion_failure_reason | The reason of failure if the deletion operation failed or skipped | String |
| DeleteReportedEmail.delete_type | Whether the deletion operation was hard or soft. | String |
| DeleteReportedEmail.using_brand | The email service that was used to delete the email. | String |
| DeleteReportedEmail.email_subject | The subject of the deleted email. | String |
| DeleteReportedEmail.message_id | The message ID of the deleted email. | String |
Troubleshooting#
- If the
Reported Email Originfield is missing or has a value ofNone, the script will not be able to locate the email and fail.
This can happen if the email forwarded to the listener mailbox was not forwarded as an attachment (with anEMLfile) as it should. - If either the
Reported Email Message IDorReported Email Tofields are missing, the cause is likely to be one of the following:- An
EMLfile was not attached to the email. - The playbook is being used as a sub-playbook, causing the
EMLfile to exist only in the parent playbook. - The
Process Email - Generic v2sub-playbook failed, or theParseEmailFilesV2step within it specifically failed.
- An
- The script is not supporting multiple recipients in the
Reported Email Tofield.