Skip to main content


This Script is part of the Common Scripts Pack.#

Parse an email from an eml or msg file and populate all relevant context data to investigate the email. Also extracts inner attachments and returns them to the war room. The incident labels themselves are preserved and not modified - only the "Label/x" context items that originated from the labels, and the best practice is to rely on these for the remainder of the playbook.

This script is based on the parse-emails XSOAR python package, check the script documentation for more info.

Script Data#

Script Typepython3
Tagsemail, phishing, enhancement, file


Argument NameDescription
entryidEntry ID with the Email as a file in msg or eml format
parse_only_headersWill parse only the headers and return headers table
max_depthHow many levels deep we should parse the attached emails (e.g. email contains an emails contains an email). Default depth level is 3. Minimum level is 1, if set to 1 the script will parse only the first level email
nesting_level_to_returnIn case of nested email files (for instance, an EML file inside an EML file), determines which of the email files to return as an output. "All files" - will return all nested email files as output, "Outer file" - will return only the "outer" email file as output, "Inner file" - will return only the most "inner" email file as output. In case "Inner file" was chosen together with the 'max_depth' argument, the inner email will be considered as the email in the depth of the max_size argument.


Email.ToThis shows to whom the message was addressed, but may not contain the recipient's address.string
Email.CCEmail 'cc' addressesstring
Email.FromThis displays who the message is from, however, this can be easily forged and can be the least reliable.string
Email.SubjectEmail subjectstring
Email.HTMLEmail 'html' body if existsstring
Email.TextEmail 'text' body if existsstring
Email.DepthThe depth of the email. Depth=0 for the first level email. If email1 contains email2 contains email3. Then email1 depth is 0, email2 depth is 1, email3 depth is 2number
Email.HeadersDeprecated - use Email.HeadersMap output instead. The full email headers as a single stringstring
Email.HeadersMapThe full email headers jsonUnknown
Email.HeadersMap.FromThis displays who the message is from, however, this can be easily forged and can be the least reliable.Unknown
Email.HeadersMap.ToThis shows to whom the message was addressed, but may not contain the recipient's address.Unknown
Email.HeadersMap.SubjectEmail subjectString
Email.HeadersMap.DateThe date and time the email message was composedUnknown
Email.HeadersMap.CCEmail 'cc' addressesUnknown
Email.HeadersMap.Reply-ToThe email address for return mailString
Email.HeadersMap.ReceivedList of all the servers/computers through which the message traveledString
Email.HeadersMap.Message-IDA unique string assigned by the mail system when the message is first created. These can easily be forged. (e.g.
Email.AttachmentsData.NameThe name of the attachmentString
Email.AttachmentsData.Content-IDThe content-id of the attachmentString
Email.AttachmentsData.Content-DispositionThe content-disposition of the attachmentString
Email.AttachmentsData.FilePaththe location of the attachment, on the XSOAR serverString
Email.AttachmentNamesThe list of attachment names in the emailstring
Email.FormatThe format of the email if availablestring


We handle EML and MSG parsing differently when the email contains HTML.

  • If it's an EML and it has the content-type of text/html, the content of the body will be stored in the html field.
  • If it's an MSG, we store the text inside the HTML in the text field and the HTML in the html field.