Skip to main content


This Script is part of the Common Scripts Pack.#

Identify whether the incident includes an email message attached as an eml or msg file and return the answer to playbook. Also saves the identified entry ID to context for use for later. Commonly used in automated playbooks that handle phishing reports sent to a special phishing mailbox set up by the security team.

Script Data#

Script Typepython2
Tagsphishing, email, Condition
Cortex XSOAR Version5.0.0

Used In#

This script is used in the following playbooks and scripts.

  • Process Email - Core
  • Process Email - Core v2
  • Process Email - Generic
  • Process Email - Generic v2


Argument NameDescription
entryidSpecific entryid to check if it is an email attachment. If not specified will check all entries of the incident.


yesIf incident contains an email attachment. Will also set reportedemailentryid with the entry id.Unknown
noIf incident does not contain an email attachmentUnknown