Pre phishing alerts (#15465)

* mappers+incident_field+playbooks+images

* playbooks docs

* phishing incident type - extract inline

* playbook outputs - file

* playbooks docs

* release notes + metadata

* pack ignore RM104 - gmail

* Removing "Domain" - task 53, phishing investigation

* Release notes

* Change "Email Headers" from null to " "

* release notes

* Reverse Get Original gmail

* Reverse Get Original gmail

* playbooks + docs

* Release notes

* Release notes

* Release notes

* test playbooks

* secrets

* secrets

* docs + final changes

* cosmetics

* Phishing investigation - extract reporter address

* Update playbook-Get_Original_Email_-_EWS_v2.yml

* Update playbook-Get_Original_Email_-_EWS_v2_README.md

* Update 1_10_0.md

* Update playbook-Get_Original_Email_-_Gmail_v2.yml

* Update playbook-Get_Original_Email_-_Gmail_v2_README.md

* Update 1_1_10.md

* Update playbook-Get_Original_Email_-_Microsoft_Graph_Mail.yml

* Update playbook-Get_Original_Email_-_Microsoft_Graph_Mail_README.md

* Update 1_1_0.md

* Update Process_Email_-_Generic_v2.yml

* Update Process_Email_-_Generic_v2_README.md

* Update playbook-Get_Original_Email_-_Generic_v2_README.md

* Update 2_5_0.md

* Change "GetOriginalEmail" to False

* Add ExtractedHeadersMap

* domain

* fixing domain error

* changing "unknown" to "string" + description fix.

Co-authored-by: Richard Bluestone <[email protected]>

Packs/EWS/Classifiers/classifier-mapper-incoming-EWS_v2.json

@@ -181,8 +181,13 @@
                     "simple": "body"
                 },
                 "Email Headers": {
-                    "complex": null,
-                    "simple": "headers"
+                    "complex": {
+                        "accessor": "",
+                        "filters": [],
+                        "root": " ",
+                        "transformers": []
+                    },
+                    "simple": null
                 },
                 "Email Message ID": {
                     "complex": null,
@@ -351,6 +356,10 @@
                         ]
                     },
                     "simple": ""
+                },
+                "Phishing Reporter Email Headers": {
+                    "complex": null,
+                    "simple": "headers"
                 }
             }
         }

Packs/EWS/Playbooks/playbook-Get_Original_Email_-_EWS_v2.yml

@@ -0,0 +1,307 @@
+id: Get Original Email - EWS v2
+version: -1
+contentitemexportablefields:
+  contentitemfields: {}
+name: Get Original Email - EWS v2
+description: |-
+  This v2 playbook retrieves the original email in the thread as an eml file by using the EWS v2 integration.
+  This playbook will retrieve the email as an eml and not as an Email object (like the previous version). It also reduces the amount of tasks needed to perform the fetch action.
+  You must have the necessary permissions in the EWS integration to execute global search: eDiscovery.
+starttaskid: "0"
+tasks:
+  "0":
+    id: "0"
+    taskid: 5607d1c6-85b0-4181-8b10-bb3a5b113c6f
+    type: start
+    task:
+      id: 5607d1c6-85b0-4181-8b10-bb3a5b113c6f
+      version: -1
+      name: ""
+      iscommand: false
+      brand: ""
+      description: ''
+    nexttasks:
+      '#none#':
+      - "1"
+    separatecontext: false
+    view: |-
+      {
+        "position": {
+          "x": 122.5,
+          "y": 280
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "1":
+    id: "1"
+    taskid: 43203523-8fe7-4403-8c1b-ba175d568d59
+    type: condition
+    task:
+      id: 43203523-8fe7-4403-8c1b-ba175d568d59
+      version: -1
+      name: Is EWS v2 enabled?
+      description: Returns 'yes' if an integration brand is available. Otherwise returns
+        'no'.
+      scriptName: IsIntegrationAvailable
+      type: condition
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#default#':
+      - "2"
+      "yes":
+      - "3"
+    scriptarguments:
+      brandname:
+        simple: EWS v2
+    results:
+    - brandInstances
+    separatecontext: false
+    view: |-
+      {
+        "position": {
+          "x": 122.5,
+          "y": 430
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "2":
+    id: "2"
+    taskid: d2eca123-db35-4b27-88d8-a8b77ffd6784
+    type: title
+    task:
+      id: d2eca123-db35-4b27-88d8-a8b77ffd6784
+      version: -1
+      name: Done
+      type: title
+      iscommand: false
+      brand: ""
+      description: ''
+    separatecontext: false
+    view: |-
+      {
+        "position": {
+          "x": 122.5,
+          "y": 1570
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "3":
+    id: "3"
+    taskid: 15ad973f-06c8-417d-8f63-9fcb9dfc7bef
+    type: condition
+    task:
+      id: 15ad973f-06c8-417d-8f63-9fcb9dfc7bef
+      version: -1
+      name: Verify required inputs
+      description: Verifies that the required input values exist for retrieving the original
+        email.
+      type: condition
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#default#':
+      - "2"
+      Inputs-Exist:
+      - "4"
+    separatecontext: false
+    conditions:
+    - label: Inputs-Exist
+      condition:
+      - - operator: isExists
+          left:
+            value:
+              complex:
+                root: inputs.TargetMailbox
+            iscontext: true
+      - - operator: isExists
+          left:
+            value:
+              complex:
+                root: inputs.MessageID
+            iscontext: true
+    view: |-
+      {
+        "position": {
+          "x": 122.5,
+          "y": 640
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "4":
+    id: "4"
+    taskid: f5a63cbd-d9d6-49ca-8812-88c74426bb82
+    type: regular
+    task:
+      id: f5a63cbd-d9d6-49ca-8812-88c74426bb82
+      version: -1
+      name: Search for messages by MessageID
+      description: Retrieves all messages found in the thread of the forwarded email.
+      script: EWS v2|||ews-search-mailbox
+      type: regular
+      iscommand: true
+      brand: EWS v2
+    nexttasks:
+      '#none#':
+      - "5"
+    scriptarguments:
+      message-id:
+        complex:
+          root: inputs.MessageID
+      selected-fields:
+        simple: item_id
+      target-mailbox:
+        complex:
+          root: inputs.TargetMailbox
+    separatecontext: false
+    view: |-
+      {
+        "position": {
+          "x": 122.5,
+          "y": 885
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "5":
+    id: "5"
+    taskid: 2c433705-840b-4ad0-8214-ed8db8588d35
+    type: condition
+    task:
+      id: 2c433705-840b-4ad0-8214-ed8db8588d35
+      version: -1
+      name: Was a matching email found?
+      description: Verifies that an email object with a Message-Id that matches the
+        InReplayTo ID of the forwarded email was found.
+      type: condition
+      iscommand: false
+      brand: ""
+    nexttasks:
+      '#default#':
+      - "2"
+      "yes":
+      - "7"
+    separatecontext: false
+    conditions:
+    - label: "yes"
+      condition:
+      - - operator: isNotEmpty
+          left:
+            value:
+              complex:
+                root: EWS.Items
+                accessor: itemId
+            iscontext: true
+    view: |-
+      {
+        "position": {
+          "x": 122.5,
+          "y": 1090
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+  "7":
+    id: "7"
+    taskid: 095d6baa-7a84-4f34-87d1-5b2d5a4287f2
+    type: regular
+    task:
+      id: 095d6baa-7a84-4f34-87d1-5b2d5a4287f2
+      version: -1
+      name: Get original email as eml
+      description: Retrieves items by item ID and uploads the content as an eml file.
+      script: EWS v2|||ews-get-items-as-eml
+      type: regular
+      iscommand: true
+      brand: EWS v2
+    nexttasks:
+      '#none#':
+      - "2"
+    scriptarguments:
+      item-id:
+        complex:
+          root: EWS.Items
+          accessor: itemId
+      target-mailbox:
+        complex:
+          root: inputs.TargetMailbox
+    separatecontext: false
+    view: |-
+      {
+        "position": {
+          "x": 122.5,
+          "y": 1360
+        }
+      }
+    note: false
+    timertriggers: []
+    ignoreworker: false
+    skipunavailable: false
+    quietmode: 0
+    isoversize: false
+    isautoswitchedtoquietmode: false
+system: true
+view: |-
+  {
+    "linkLabelsPosition": {},
+    "paper": {
+      "dimensions": {
+        "height": 1355,
+        "width": 380,
+        "x": 122.5,
+        "y": 280
+      }
+    }
+  }
+inputs:
+- key: TargetMailbox
+  value: {}
+  required: false
+  description: The target mailbox for which to retrieve the eml file.
+  playbookInputQuery:
+- key: MessageID
+  value: {}
+  required: false
+  description: The InReplyTo header in the forwarded email.
+  playbookInputQuery:
+outputs:
+- contextPath: File
+  description: The original email as an eml file.
+  type: string
+tests:
+- Get Original Email - EWS v2 - test
+fromversion: 6.1.0

Packs/EWS/Playbooks/playbook-Get_Original_Email_-_EWS_v2_README.md

@@ -0,0 +1,38 @@
+This v2 playbook retrieves the original email in the thread as an eml file by using the EWS v2 integration.
+This playbook will retrieve the email as an eml and not as an Email object (like the previous version). It also reduces the amount of tasks needed to perform the fetch action.
+You must have the necessary permissions in the EWS integration to execute global search: eDiscovery.
+
+## Dependencies
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+This playbook does not use any sub-playbooks.
+
+### Integrations
+* EWS v2
+
+### Scripts
+* IsIntegrationAvailable
+
+### Commands
+* ews-search-mailbox
+* ews-get-items-as-eml
+
+## Playbook Inputs
+---
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| TargetMailbox | The target mailbox for which retrieve the eml file. |  | Optional |
+| MessageID | The InReplyTo header in the forwarded email. |  | Optional |
+
+## Playbook Outputs
+---
+
+| **Path** | **Description** | **Type** |
+| --- | --- | --- |
+| File | The original email as an eml file. | string |
+
+## Playbook Image
+---
+![Get Original Email - EWS v2](../doc_imgs/Get_Original_Email_-_EWS_v2.png)

Packs/EWS/ReleaseNotes/1_10_0.md

@@ -0,0 +1,13 @@
+
+#### Mappers
+##### EWS - Incoming Mapper
+- Adding the "Phishing Reporter Email Headers" field.
+- **BREAKING FIX**: Disassociate "Email Headers" field since it represents the original email headers and not the reporter headers.
+
+#### Playbooks
+##### New: Get Original Email - EWS v2
+This v2 playbook retrieves the original email in the thread as an eml file, by using the EWS v2 integration.
+
+This playbook will retrieve the email as eml and not as an Email object (like the previous version). This version also reduces the amount of tasks needed to perform the fetch action.
+
+You must have the necessary permissions in the EWS integration to execute global search: eDiscovery.