Hi,
We are trying to create a workflow for Phishing Response Automation. In our environment when user finds an email suspicious they click a Phish Alert button in Outlook.
The suspicious email then forwarded to a particular mailbox as an .eml attachment. We pick the email, verify the contents - URLs, Domains, Attachments in various other sites and give reponse to user.
We want to automate a part of this process. We want to fetch these emails, Create a case in TheHive, parse the .eml file and separate the attachments URLs, Create observable in Thehive, Analyze the observable it with Cortex. Based on the detection if true then TheHive will send a response. We cannot use IMAP. We are using Outlook node with OAUTH.
Till now we have achived to fetch email, create case in Thehive. We can use node HTML extract to parse the URLs from the body content but then in our environment Outlook safe links is enabled and all the URLs in our email is bind with safelinks.protection.outlook.com. If we analyze this in Cortex then it will not scan the actual links but the safelinks.protection.outlook.com.
Fields where we need input:
. How to parse .eml file and separate all fields - Subject, Body Content in text format, URL, Domain, attachments? Cortex Eml Parser is working but not giving the result back in n8n. The result is visible in Cortex Application
. If extraction succeeded then how to remove the initial part of the URL which is safelinks.protection.outlook.com?
. How to attach the email attachments in TheHive as an observable?
n8n Version - 0.199, Database - SQLite, Self Hosted Docker Version
Our Workflow till now:
‘<{
“meta”: {
“instanceId”: “c392a8b10f6346dd2a109a8610761351611931e29ed10ed8a474b4ced7915a34”
},
“nodes”: [],
“connections”: {}
}/>’
