Incoming feed - IMAP Email fetcher#

Caution

The IMAP Email fetcher and IMAP Email Attachment fetcher is End of Life as of 5th April 2022.

They will continue to be available for download, and is eligible for support until End of Support Life (EOSL) on 5th October 2022. EOSL products receive critical fixes and security updates, but no further improvements.

Use the newer IMAP Email and attachment fetcher instead.

Note

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.

Specifications

Transport types

IMAP Email fetcher

Content type

Email Message

Ingested data

Ingests emails from a given IMAP server.

Endpoint(s)

N/A

Processed data

See Data mapping.

Warning

Back up your emails before running this feed.

Fetching emails with this transport type will delete emails that it downloads.

Requirements#

  • IMAP-enabled email account

  • IMAP user name

  • IMAP password

Limitations#

  • Emails are only fetched from the Inbox folder of the target email account.

  • These email providers are not supported:

    • Microsoft Office 365 Outlook

Configure the incoming feed#

  1. Create or edit an incoming feed.

  2. Under Transport and content, fill out these fields:

    Note

    Required fields are marked with an asterisk (*).

    Field

    Description

    Transport type*

    Select IMAP Email fetcher from the drop-down menu.

    Content type*

    Select Email Message from the drop-down menu.

    Host*

    Enter the address of your IMAP server.

    For example: imap.example.com

    Username

    Enter your IMAP account user name.

    Password

    Enter your IMAP account password.

    Use SSL

    Caution

    Most IMAP servers require IMAP SSL. If your feed appears to be unable to fetch emails, select this option to fetch using IMAP SSL.

    • Leave option empty to use the default IMAP port 143.

    • Select to use the IMAP SSL port 993.

    To keyword

    Tip

    Leave To keyword, From keyword, and Subject keyword empty to fetch all emails from your IMAP Inbox folder.

    Enter a keyword to only include emails that have a “To” field (email recipients) containing content that matches it.

    From keyword

    Enter a keyword to only include emails that have a “From” field (sender’s email address) containing content that matches it.

    Subject keyword

    Enter a keyword to only include emails that have a “Subject” field (email subject) containing content that matches it.

    SSL certificate authentication

    Select to enable SSL client certificate authentication.

    When enabled, you can set the SSL certificate and key to use.

    SSL certificate

    Enter the contents of your PEM-formatted certificate chain files.

    It should look like this:

    -----BEGIN CERTIFICATE REQUEST-----
    MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV
    BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln
    [...]
    29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2
    97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w=
    -----END CERTIFICATE REQUEST-----
    

    SSL key

    Enter the contents of your PEM-formatted SSL certificate key.

    It should look like this:

    -----BEGINRSAPRIVATEKEY-----
    MIIEpQIBAAKCAQEA3Tz2mr7SZiAMfQyuvBjM9Oi..Z1BjP5CE/Wm/Rr500P
    RK+Lh9x5eJPo5CAZ3/ANBE0sTK0ZsDGMak2m1g7..3VHqIxFTz0Ta1d+NAj
    [...]
    engiVoWc/hkj8SBHZz1n1xLN7KDf8ySU06MDggB..hJ+gXJKy+gf3mF5Kmj
    DtkpjGHQzPF6vOe907y5NQLvVFGXUq/FIJZxB8k..fJdHEm2M4=
    -----ENDRSAPRIVATEKEY-----
    
  3. Store your changes by selecting Save.

Data mapping#

This incoming feed downloads emails and ingests them as Report entities.

If an email is part of a reply thread, each email is ingested to produce it’s own Report entity.

Resulting Report entities have the following fields set:

EclecticIQ Report entity field

Content description

Title

Subject of email.

This is set to the first 60 characters of an email’s subject field.

All emails part of a reply thread will have the same title. E.g., Re: this is an email subject.

Description/Analysis

Email body.

Body of HTML emails (MIME type text/html) is converted to plain text.

Estimated threat start time

Time email was ingested.

Estimated observed time

Time email was ingested.

Attachment

The original email is attached as an .eml file to the resulting Report entity, named <subject_name>.eml.

Attachments for that email are embedded in the resulting .eml file.