RA2205: Extract Observables From Email Message

Summary

ID	RA2205
Brief Description	Extract observables from an email message
Author	@atc_project
Creation Date	2019/01/31
References	https://ubuntuincident.wordpress.com/2010/09/27/extract-email-attachments/ https://blog.thehive-project.org/2018/07/31/emlparser-a-new-cortex-analyzer-for-eml-files/
Response Stage	Identification

Description

Extract the data for further response steps:

• attachments (using munpack tool: munpack email.eml)
• from, to, cc
• subject of the email
• received servers path
• list of URLs from the text content of the mail body and attachments

This Response Action could be automated with TheHive EmlParser.