How to save Header as an Attachment

mccrilb · 02-21-2025 07:18 AM

I am looking for a way to save the header from an email as an attachment so that when I forward the email I can attach the header to the forwarded email.

Use Case:

I have email threat hunt rules set for common phishing terms. When the alert hits the SOAR I can search and retrieve the email information using Mail Graph. Our vendor for reporting possible phish cases is Cofense, and in order to keep the original sender information they need to have the forwarded email contain the header of the original email as an attachment.

SoarAndy

Due to the nature of EML/SMTP and structured data, this might be tricky.

- You could use the Action 'Parse Case Wall Email' | Result | headers, this will include only headers but it is in JSON format

- You could use Jinja Action "Template Engine" with the following input from Gemini to loop the EML body and regex for lines like headers (e.g. "word: content") but that is prone to false positive in the body

- Depending on your input/mail client you look for any line before "Content-Type: multipart/mixed" but different mail clients will use multiplarts different (or not at all)
(this image is from a spoofed EML for testing, Sarah Innocent is fake data)

The challenges is 95% data, and 5% SecOps/SOAR. I think the best route will depend on how you process the data further down the chain, you might have to tweak other parts of the flow to match.

HTH

mccrilb

I had a response from support that may work. the CSV integration allows you to save JSON to a csv file. I haven't had a chance to test, but that might be a solution