Incoming feed - IMAP email attachment fetcher
The IMAP Email fetcher and IMAP Email Attachment fetcher is End of Life as of 5th April 2022.
They will continue to be available for download, and is eligible for support until End of Support Life (EOSL) on 5th October 2022. EOSL products receive critical fixes and security updates, but no further improvements.
Use the newer IMAP Email and attachment fetcher instead.
This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Configure incoming feeds general options.
|
|
Specifications |
|
Transport types |
IMAP Email attachment fetcher |
|
Content type |
|
|
Ingested data |
Ingests only email attachments from a given IMAP server. |
|
Endpoint(s) |
N/A |
|
Processed data |
Back up your Inbox folder before running this feed.
Fetching emails with this transport type will delete emails that it downloads, even if processing the attachment fails.
Deduplicated attachments also deletes the processed emails.
Requirements
IMAP-enabled email account
IMAP user name
IMAP password
Limitations
Emails are only fetched from the Inbox folder of the target email account.
These email providers are not supported:
Microsoft Office 365 Outlook
Configure the incoming feed
Create or edit an incoming feed.
Under Transport and content, fill out these fields:
Required fields are marked with an asterisk (*).
Field
Description
Transport type*
Select IMAP Email attachment fetcher from the drop-down menu.
Content type*
Select a content type from the drop-down menu.
See Ingested content types for more information.
If the selected content type is not compatible with the retrieved attachment file type, the feed fails.
Accept password protected archives
Select to display the Archive password field.
Archive password
Enter a password to decrypt archives downloaded from this feed.
If the Archive password field does not appear, select a different Content type, and then re-select your intended Content type to force it to appear.
Host*
Enter the address of your IMAP server.
For example: imap.example.com
Username
Enter your IMAP account user name.
Password
Enter your IMAP account password.
Use SSL
Most IMAP servers require IMAP SSL. If your feed appears to be unable to fetch emails, select this option to fetch using IMAP SSL.
Leave option empty to use the default IMAP port 143.
Select to use the IMAP SSL port 993.
To keyword
Leave To keyword, From keyword, and Subject keyword empty to fetch all emails from your IMAP Inbox folder.
Enter a keyword to only include emails that have a “To” field (email recipients) containing content that matches it.
From keyword
Enter a keyword to only include emails that have a “From” field (sender’s email address) containing content that matches it.
Subject keyword
Enter a keyword to only include emails that have a “Subject” field (email subject) containing content that matches it.
SSL certificate authentication
Select to enable SSL client certificate authentication.
When enabled, you can set the SSL certificate and key to use.
SSL certificate
Enter the contents of your PEM-formatted certificate chain files.
It should look like this:
-----BEGIN CERTIFICATE REQUEST----- MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln [...] 29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2 97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w= -----END CERTIFICATE REQUEST-----SSL key
Enter the contents of your PEM-formatted SSL certificate key.
It should look like this:
-----BEGINRSAPRIVATEKEY----- MIIEpQIBAAKCAQEA3Tz2mr7SZiAMfQyuvBjM9Oi..Z1BjP5CE/Wm/Rr500P RK+Lh9x5eJPo5CAZ3/ANBE0sTK0ZsDGMak2m1g7..3VHqIxFTz0Ta1d+NAj [...] engiVoWc/hkj8SBHZz1n1xLN7KDf8ySU06MDggB..hJ+gXJKy+gf3mF5Kmj DtkpjGHQzPF6vOe907y5NQLvVFGXUq/FIJZxB8k..fJdHEm2M4= -----ENDRSAPRIVATEKEY-----Store your changes by selecting Save.
Ingested content types
This incoming feed downloads emails from an IMAP server and only ingests its attachments. The rest of the email is discarded.
If you want to keep both the email body and its attachments, use the Incoming feed - IMAP email fetcher instead.
Content type table
Select a content type to ingest email attachments as that content type.
The content type you select must match the content type of the email attachments being ingested, or the feed will fail.
Available content types:
|
Content type |
Description |
|
CAPEC XML |
Ingest CAPEC XML as TTPs. |
|
EclecticIQ JSON |
Ingest EclecticIQ JSON to produce EclecticIQ entities. |
|
Email Message |
Similar to the Text content type. Ingest email attachments to produce:
See the Text content type below for more information. The email body is discarded even though the target content type is “Email Message”. Only email attachments are ingested. |
|
MISP JSON |
Ingest MISP JSON to produce Indicators and Incidents. |
|
|
Ingest PDF to produce:
|
|
SpyCloud Breach Data JSON |
Ingest JSON from SpyCloud to produce Incidents. |
|
STIX 1.0 |
Ingest STIX 1.0 XML. |
|
STIX 1.1 |
Ingest STIX 1.1 XML. |
|
STIX 1.1.1 |
Ingest STIX 1.1.1 XML. |
|
STIX 1.2 |
Ingest STIX 1.2 XML. |
|
STIX 2.1 |
Ingest STIX 2.1 JSON. See the documentation on how STIX 2.1 data is processed. |
|
Text |
Ingest email attachments as ASCII text files, regardless of actual file type. This produces:
This content type is compatible with most file types. It treats all attachments as ASCII text files. File headers are preserved during this conversion. |
Deduplicated attachments
When this feed downloads an email attachment, it compares the file hash of the downloaded attachment with files that have already been processed by the Intelligence Center.
If the file hash matches an existing record, the email attachment is not ingested.
Emails containing attachments that have been deduplicated are also deleted from the target email account’s Inbox once this feed accessess its contents.
Back up your Inbox folder before running this feed.