Incoming feed - IMAP Email attachment and body fetcher
This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Configure incoming feeds general options.
|
|
Specifications |
|
Transport types |
IMAP Email attachment and body fetcher |
|
Content type |
See Ingestion results. |
|
Ingested data |
Ingests emails from a given IMAP server. |
|
Endpoint(s) |
N/A |
|
Processed data |
See Ingestion results. |
This extension downloads emails from a mail folder on an IMAP server and processes them to produce entities.
You can process both the body and attachments of a given email message.
For information on how emails are processed, see Ingestion results.
Contents
Requirements
IMAP-enabled email account
IMAP user name
IMAP password
Known limitations
These email providers are not supported:
Microsoft Office 365 Outlook
Configure the incoming feed
Create or edit an incoming feed.
Under Transport and content, fill out these fields:
Required fields are marked with an asterisk (*).
Field
Description
Transport type*
Select IMAP Email attachment and body fetcher from the drop-down menu.
Content type*
By default, this is set to Email Message.
See Ingestion results for more information.
Accept password protected archives
Select to display the Archive password field.
Host*
Enter the address of your IMAP server.
For example: imap.example.com
Username
Enter your IMAP account user name.
Password
Enter your IMAP account password.
Folder*
By default, this is set to INBOX.
Set this to the name of the email folder you want to process. For example, My inbox.
To fetch emails from more than one email folder, set up a new feed per target folder.
Delete mails
This permanently deletes all email messages that the feed fetches from your IMAP server, whether or not it manages to successfully ingest data from them.
Select this to have this feed delete email messages that it fetches from the target IMAP server.
Body of email
Select to ingest the body of email messages that this feed processes.
Attachments of email
Select to ingest all attachments from email messages that this feed processes.
The extension automatically detects the file type for these attachments and processes them as per Ingestion results.
Port*
Set to 993 by default.
Set this according to the instructions from your IMAP provider.
Use SSL
Selected by default.
To keyword
Leave To keyword, From keyword, and Subject keyword empty to fetch all emails from target IMAP folder.
Enter keyword(s) to only fetch emails whose Subject field contains them.
See Filtering messages for more information.
From keyword
Enter keyword(s) to only fetch emails whose Subject field contains them.
See Filtering messages for more information.
Subject keyword
Enter keyword(s) to only fetch emails whose Subject field contains them.
See Filtering messages for more information.
SSL certificate authentication
Select to enable SSL client certificate authentication.
When enabled, you can set the SSL certificate and key to use.
SSL certificate
Enter the contents of your PEM-formatted certificate chain files.
It should look like this:
-----BEGIN CERTIFICATE REQUEST----- MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln [...] 29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2 97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w= -----END CERTIFICATE REQUEST-----SSL key
Enter the contents of your PEM-formatted SSL certificate key.
It should look like this:
-----BEGINRSAPRIVATEKEY----- MIIEpQIBAAKCAQEA3Tz2mr7SZiAMfQyuvBjM9Oi..Z1BjP5CE/Wm/Rr500P RK+Lh9x5eJPo5CAZ3/ANBE0sTK0ZsDGMak2m1g7..3VHqIxFTz0Ta1d+NAj [...] engiVoWc/hkj8SBHZz1n1xLN7KDf8ySU06MDggB..hJ+gXJKy+gf3mF5Kmj DtkpjGHQzPF6vOe907y5NQLvVFGXUq/FIJZxB8k..fJdHEm2M4= -----ENDRSAPRIVATEKEY-----Store your changes by selecting Save.
Filtering messages
You can set this incoming feed to only fetch messages that contain specific keywords in their To, From, and Subject fields.
To do this, enter one or more keywords in the following fields of your feed configuration:
To keyword
From keyword
Subject keyword
Results of the keyword filters may vary between email providers. We recommend performing a dry run on a small mailbox folder before using the keyword filters on a large target folder.
Ingestion results
This extension downloads email messages from an IMAP server and allows you to ingest:
its message body
its attachments
or both.
Email message body
To ingest the email message body, select the Body of email option when setting up the feed.
Each email message that the feed fetches from the IMAP server is ingested to produce:
a report entity
the message body attached to the report as an .eml file
If an email is part of a reply thread, each email is ingested to produce it’s own Report entity.
Resulting Report entities have these fields set:
|
EclecticIQ Report entity field |
Content description |
|
Title |
Subject of email. This is set to the first 60 characters of an email’s subject field. All emails part of a reply thread will have the same title. E.g., Re: this is an email subject. |
|
Description/Analysis |
Email body. Body of HTML emails (MIME type text/html) is converted to plain text. |
|
Estimated threat start time |
Time email was ingested. |
|
Estimated observed time |
Time email was ingested. |
|
Attachment |
The original email is attached as an .eml file to the resulting Report entity, named <subject_name>.eml. Attachments for that email are embedded in the resulting .eml file. |
Email attachments
To ingest attachments from email messages, select the Attachment of email option when setting up the feed.
For each email message fetched, the feed extracts all attachments for that message. For each extracted attachment:
The extension attempts to detect its content type.
If the attachment is found to be one of the supported content types, the extension processes the attachment as that content type.
Supported content types are listed in the table below.
If the attachment is not found to be one of the supported content types, it is ingested as a text file.
The file headers and data preserved in the resulting text file.
The following table describes all supported content types:
|
Content type |
Description |
|
CAPEC XML |
Ingest CAPEC XML as TTPs. |
|
EclecticIQ JSON |
Ingest EclecticIQ JSON to produce EclecticIQ entitites. |
|
MISP JSON |
Ingest MISP JSON to produce Indicators and Incidents. |
|
|
Ingest PDF to produce:
|
|
SpyCloud Breach Data JSON |
Ingest JSON from SpyCloud to produce Incidents. |
|
STIX 1.0 |
Ingest STIX 1.0 XML. |
|
STIX 1.1 |
Ingest STIX 1.1 XML. |
|
STIX 1.1.1 |
Ingest STIX 1.1.1 XML. |
|
STIX 1.2 |
Ingest STIX 1.2 XML. |
|
STIX 2.1 |
Ingest STIX 2.1 JSON. See the documentation on how STIX 2.1 data is processed. |
|
Text |
If we cannot detect an attachment’s content type, that attachment is ingested as a text file with its file headers and content preserved. Ingest email attachments as ASCII text files, regardless of actual file type. This produces:
This content type is compatible with most file types. It treats all attachments as ASCII text files. File headers are preserved during this conversion. |
Deduplicated attachments
When this feed downloads an email attachment, it compares the file hash of the downloaded attachment with files that have already been processed by the Intelligence Center.
If the file hash matches an existing record, the email attachment is not ingested.