Utilidades de correo electrónico
Compatible con:
Google SecOps
SOAR
Descripción general
Es un conjunto de acciones de utilidad para trabajar con correos electrónicos. Incluye acciones para analizar archivos EML y encabezados de correos electrónicos.
Actions
Analizar encabezados de EML
Descripción
Obtiene un EML en Base64 o una lista de encabezados, y extrae o analiza sus encabezados.
Parámetros
| Parámetro | Tipo | Valor predeterminado | Is Mandatory | Descripción |
| EML en Base64 | String | N/A | No | Especifica la cadena Base64 del archivo EML. |
| Lista de encabezados | JSON | N/A | No | Especifica la lista de encabezados en formato JSON |
Ejemplo
En este ejemplo, analizamos los encabezados de un correo electrónico en formato JSON.
Configuraciones de acciones
| Parámetro | Valor |
| Entidades | Todas las entidades |
| EML en Base64 | En blanco |
| Lista de encabezados | |
-
Resultado de secuencia de comandos
Nombre del resultado de la secuencia de comandos Opciones de valor Ejemplo ScriptResult Verdadero/Falso Verdadero -
Resultado de JSON
{ "extracted_headers": {"F": "r", "T": "o", "C": "c", "S": "u", "D": "a", "M": "e", "M_2": "I", "C_2": "o", "C_3": "o", "X": "- ", "X_2": "-", "X_3": "-"}, "html_table_all_headers": "<table><tbody><tr><td>F</td><td>r</td></tr><tr><td>T</td><td>o</td></tr><tr><td>C</td><td>c</td></tr><tr><td>S</td><td>u</td></tr><tr><td>D</td><td>a</td></tr><tr><td>M</td><td>e</td></tr><tr><td>M_2</td><td>I</td></tr><tr><td>C_2</td><td>o</td></tr><tr><td>C_3</td><td>o</td></tr><tr><td>X</td><td>-</td></tr><tr><td>X_2</td><td>-</td></tr><tr><td>X_3</td><td>-</td></tr></tbody></table>", "list_of_domain_address": [], "header_analysis_result": [{"message": "\"Return-Path\" header does not exist", "score": 5, "status": "<div style=\"text-align:center\"><span style=\"height: 5px; width: 5px; background-color: #FF0000; border-radius: 50%; display: inline-block;\"></span></div>"}, {"message": "\"X-Distribution\" header checked (does not exist)", "score": 0, "status": "<div style=\"text-align:center\"><span style=\"height: 5px; width: 5px; background-color: #00FF00; border-radius: 50%; display: inline-block;\"></span></div>"}, {"message": "\"Bcc\" header checked (does not exist)", "score": 0, "status": "<div style=\"text-align:center\"><span style=\"height: 5px; width: 5px; background-color: #00FF00; border-radius: 50%; display: inline-block;\"></span></div>"}, {"message": "\"X-UIDL\" header checked (does not exist)", "score": 0, "status": "<div style=\"text-align:center\"><span style=\"height: 5px; width: 5px; background-color: #00FF00; border-radius: 50%; display: inline-block;\"></span></div>"}, {"message": "\"Message-ID\" header missing from original EML", "score": 5, "status": "<div style=\"text-align:center\"><span style=\"height: 5px; width: 5px; background-color: #FF0000; border-radius: 50%; display: inline-block;\"></span></div>"}], "total_rules_matched": 2, "total_rules_checked": 5, "header_analysis_result_html": "<table><tr><td style=\"padding-right:12px\"><div style=\"text-align:center\"><span style=\"height: 5px; width: 5px; background-color: #FF0000; border-radius: 50%; display: inline-block;\"></span></div></td><td>\"Return-Path\" header does not exist</td></tr><tr><td style=\"padding-right:12px\"><div style=\"text-align:center\"><span style=\"height: 5px; width: 5px; background-color: #00FF00; border-radius: 50%; display: inline-block;\"></span></div></td><td>\"X-Distribution\" header checked (does not exist)</td></tr><tr><td style=\"padding-right:12px\"><div style=\"text-align:center\"><span style=\"height: 5px; width: 5px; background-color: #00FF00; border-radius: 50%; display: inline-block;\"></span></div></td><td>\"Bcc\" header checked (does not exist)</td></tr><tr><td style=\"padding-right:12px\"><div style=\"text-align:center\"><span style=\"height: 5px; width: 5px; background-color: #00FF00; border-radius: 50%; display: inline-block;\"></span></div></td><td>\"X-UIDL\" header checked (does not exist)</td></tr><tr><td style=\"padding-right:12px\"><div style=\"text-align:center\"><span style=\"height: 5px; width: 5px; background-color: #FF0000; border-radius: 50%; display: inline-block;\"></span></div></td><td>\"Message-ID\" header missing from original EML</td></tr></table>" }
Analyze Headers
Descripción
Valida los registros SPF, DMARC, ARC y DKIM en el correo electrónico. También verificará si alguno de los servidores de retransmisión está en la lista de bloqueo consultando varias RBL y los enriquecerá con información de ubicación geográfica y de WHOIS de IP. Acepta un objeto JSON que contiene una lista de encabezados de correo electrónico.
Parámetros
| Parámetro | Tipo | Valor predeterminado | Is Mandatory | Descripción |
| JSON del encabezado | JSON | N/A | Sí | Especifica el objeto JSON que contiene los encabezados de correo electrónico. SUGERENCIA: Usa la acción “Buffer” en el Power-Up Tools para convertir la cadena en un objeto JSON. |
Ejemplo
En este caso, pasamos el encabezado json a la acción Buffer, que convierte una cadena en un objeto json y, luego, la pasa a las acciones Analyze Headers.
Configuraciones de acciones
| Parámetro | Valor |
| Entidades | Todas las entidades |
| JSON de encabezados | [Tools_Buffer_1.JsonResult | "header"] |
Resultados de la acción
-
Resultado de secuencia de comandos
Nombre del resultado de la secuencia de comandos Opciones de valor Ejemplo ScriptResult Verdadero/Falso Verdadero -
Resultado de JSON
{ "From": "\"test@example.com\" <test@examplecom>", "To": "test2@example.com, test2@example.com, mailmaster@example.com, mailmaster@example.org, webmaster@example.com, webmaster@example.org, webmaster@example.jp, mailmaster@example.jp", "Subject": "test confirmation", "MessageID": "<05c18622-f2ad-cb77-2ce9-a0bbfc7d7ad0@clear-code.com>", "Date": "Thu, 15 Aug 2019 14:54:37 +0900", "FromDomain": "clear-code.com", "FromParentDomain": "clear-code.com", "MFromDomain": "clear-code.com", "SPF": {"record": "v=spf1 ip4:219.94.234.64 ip4:153.126.206.245 ip6:2401:2500:102:3039:153:126:206:245 a:mail.clear-code.com aaaa:mail.clear-code.com ~all", "valid": true, "dns_lookups": 2, "warnings": ["The domain aaa:mail.clear-code.com does not exist"], "parsed": {"pass": [{"value": "219.94.234.64", "mechanism": "ip4"}, {"value": "153.126.206.245", "mechanism": "ip4"}, {"value": "2401:2500:102:3039:153:126:206:245", "mechanism": "ip6"}, {"value": "153.126.206.245", "mechanism": "a"}, {"value": "2401:2500:102:3039:153:126:206:245", "mechanism": "a"}], "neutral": [], "softfail": [], "fail": [], "include": [], "redirect": null, "exp": null, "all": "softfail"}, "Auth": false}, "DMARC": {"record": "v=DMARC1;p=none;sp=none", "valid": true, "location": "clear-code.com", "warnings": ["rua tag (destination for aggregate reports) not found"], "tags": {"v": {"value": "DMARC1", "explicit": true, "name": "Version", "description": "Identifies the record retrieved as a DMARC record. It MUST have the value of \"DMARC1\". The value of this tag MUST match precisely; if it does not or it is absent, the entire retrieved record MUST be ignored. It MUST be the first tag in the list."}, "p": {"value": "none", "explicit": true, "name": "Requested Mail Receiver Policy", "description": "Specifies the policy to be enacted by the Receiver at the request of the Domain Owner. The policy applies to the domain and to its subdomains, unless subdomain policy is explicitly described using the \"sp\" tag."}, "sp": {"value": "none", "explicit": true, "name": "Subdomain Policy", "description": "Indicates the policy to be enacted by the Receiver at the request of the Domain Owner. It applies only to subdomains of the domain queried, and not to the domain itself. Its syntax is identical to that of the \"p\" tag defined above. If absent, the policy specified by the \"p\" tag MUST be applied for subdomains."}, "adkim": {"value": "r", "explicit": false, "name": "DKIM Alignment Mode", "default": "r", "description": "In relaxed mode, the Organizational Domains of both the DKIM-authenticated signing domain (taken from the value of the \"d=\" tag in the signature) and that of the RFC 5322 From domain must be equal if the identifiers are to be considered aligned."}, "aspf": {"value": "r", "explicit": false, "name": "SPF alignment mode", "default": "r", "description": "In relaxed mode, the SPF-authenticated domain and RFC 5322 From domain must have the same Organizational Domain. In strict mode, only an exact DNS domain match is considered to produce Identifier Alignment."}, "fo": {"value": ["0"], "explicit": false, "name": "Failure Reporting Options", "default": "0", "description": "0: Generate a DMARC failure report if all underlying authentication mechanisms fail to produce an aligned \"pass\" result."}, "pct": {"value": 100, "explicit": false, "name": "Percentage", "default": 100, "description": "Integer percentage of messages from the Domain Owner's mail stream to which the DMARC policy is to be applied. However, this MUST NOT be applied to the DMARC-generated reports, all of which must be sent and received unhindered. The purpose of the \"pct\" tag is to allow Domain Owners to enact a slow rollout of enforcement of the DMARC mechanism."}, "rf": {"value": ["afrf"], "explicit": false, "name": "Report Format", "default": "afrf", "description": "afrf: \"Authentication Failure Reporting Using the Abuse Reporting Format\", RFC 6591, April 2012,<http://www.rfc-editor.org/info/rfc6591>"}, "ri": {"value": 86400, "explicit": false, "name": "Report Interval", "default": 86400, "description": "Indicates a request to Receivers to generate aggregate reports separated by no more than the requested number of seconds. DMARC implementations MUST be able to provide daily reports and SHOULD be able to provide hourly reports when requested. However, anything other than a daily report is understood to be accommodated on a best-effort basis."}}}, "MX": {"hosts": [{"preference": 10, "hostname": "mail.clear-code.com", "addresses": ["153.126.206.245", "2401:2500:102:3039:153:126:206:245"], "tls": true, "starttls": true}], "warnings": []}, "DNSSec": false, "DKIMVerify": false, "ARCVerify": {"result": "none", "details": [], "reason": "Message is not ARC signed"}, "RelayInfo": [], "SourceServer": "", "StrongSPF": true }
Analizar correo electrónico en Base64
Descripción
Se mejoró la acción Parse EML Base64. Analiza archivos EML y MSG.
Parámetros
| Parámetro | Tipo | Valor predeterminado | Is Mandatory | Descripción |
| Detener el transporte en el encabezado | String | N/A | No | Especifica el campo de encabezado en el que deseas detener el procesamiento del transporte. |
| Cadena Base64 de EML/MSG | String | N/A | Sí | Especifica la representación en Base64 de un archivo EML o MSG. |
| Encabezados en la lista de entidades bloqueadas | String | N/A | No | Especifica los encabezados que se excluirán de la respuesta. |
| Usar la lista de bloqueo como lista de entidades permitidas | Casilla de verificación | Desmarcado | No | Especifica si se deben incluir los encabezados enumerados. |
Ejemplo
En este caso, analizamos un correo electrónico EML representado en formato Base64.
Configuraciones de acciones
| Parámetro | Valor |
| Entidades | Todas las entidades |
| Detener el transporte en el encabezado | En blanco |
| Cadena Base64 de EML/MSG |
RGVsaXZIcmVkLVRvOiBvdGhtYWSIbUBnb29nbGUu\29tDQpSZWNl axZIZDogYnkgMjAwMjphMDU6NzMwMDo2MTQ30mlwojhlOmMyZjI6NTQ0OSB3aXRoIFNNVFAgaWQg aTdjc3AyMjcwMjMwZHliOwOKICAgICAgICBTYXQsIDE3IERIYyAyMDlyDE40j|20j|5ICOwODAwIChQ U1QpDQpYLUdvb2dsZ51TbXRWLVNvdXJjZTogQU1ywGRYdHIqR2cycl|XUTQvNORsNIB1MZRUOEg2VkVa L1|WZT]RLZV3Z2jvaERxbm94TzhhNisOMFIVbDBQNExrWnd4VF]GcHpLZgOKWC1SZWNlaXZIZDogYnkgMj AwMjphMDU6NmEyMDpkOTA10mlwOmFmOmIxNmI6\ZWViNSB3aXRolFNNVFAgaWQgamQ1LTIwMDIwYTA 1NmEyMGQ5MDUWMGIWMDBhZmIxNmjIZ |
| Encabezados en la lista de entidades bloqueadas | En blanco |
| Lista de usuarios bloqueados como lista de entidades permitidas | En blanco |
Resultados de la acción
-
Resultado de secuencia de comandos
Nombre del resultado de la secuencia de comandos Opciones de valor Ejemplo ScriptResult Verdadero/Falso Verdadero -
Resultado de JSON
{ "date": "2019-08-15 14:54:37+09:00", "from": "test@example.com", "header": { "content-language": [ "en-US" ], "content-type": [ "multipart/mixed; boundary=\"------------26A45336F6C6196BD8BBA2A2\"" ], "date": [ "Thu, 15 Aug 2019 14:54:37 +0900" ], "fcc": [ "imap://test@example.com/Sent" ], "from": [ "\"test@example.com\" <piro-test@clear-code.com>" ], "message-id": [ "<05c18622-f2ad-cb77-2ce9-a0bbfc7d7ad0@clear-code.com>" ], "mime-version": [ "1.0" ], "subject": [ "test confirmation" ], "to": [ "test3@example.com, test3@example.com, mailmaster@example.com, mailmaster@example.org, webmaster@example.com, webmaster@example.org, webmaster@example.jp, mailmaster@example.jp" ], "user-agent": [ "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Thunderbird/69.0" ], "x-account-key": [ "account1" ], "x-identity-key": [ "id1" ], "x-mozilla-draft-info": [ "internal/draft; vcard=0; receipt=0; DSN=0; uuencode=0; attachmentreminder=0; deliveryformat=4" ] }, "received": [], "received_domains_internal": [], "receiving": [], "sending": [], "subject": "test confirmation", "to": [ "piro.outsider.reflex+1@gmail.com", "piro.outsider.reflex+2@gmail.com", "mailmaster@example.com", "mailmaster@example.org", "webmaster@example.com", "webmaster@example.org", "webmaster@example.jp", "mailmaster@example.jp" ] }
Analizar el correo electrónico del muro del caso
Descripción
Esta acción analizará un archivo EML o MSG que se adjuntó al muro del caso.
Parámetros
| Parámetro | Tipo | Valor predeterminado | Is Mandatory | Descripción |
| Crea entidades | Casilla de verificación | Marcado | No | Cuando se habilita, se crearán entidades de usuario a partir de los encabezados Para y De, y una entidad de asunto de correo electrónico a partir del campo Asunto. |
| Regex de exclusión de entidades | String | N/A | No | No se crearán las entidades observadas que coincidan con la regex proporcionada. |
| Solo EML original | Casilla de verificación | Marcado | No | Extrae el archivo adjunto solo del EML original. |
| Entidades observadas creadas | Lista desplegable | Todos | No | Crea entidades a partir de las entidades observadas en el cuerpo del correo electrónico. "All" creará entidades de URL, correo electrónico, IP y hash. |
| Guardar el archivo adjunto en el muro de casos | Casilla de verificación | Marcado | No | Guardar el archivo adjunto extraído en el muro del caso |
| Entidades de Fang | Casilla de verificación | Marcado | No | Cuando está habilitada, las entidades deshabilitadas se convertirán en entidades habilitadas. |
| Regex de entidades personalizadas | Lista desplegable | JSON | No | Es un objeto JSON que puede analizar entidades del cuerpo y el asunto. |
Ejemplo
En este ejemplo, analizamos un archivo EML adjunto al muro del caso. Si hay archivos adjuntos en el archivo EML, se agregarán al muro del caso. También creamos entidades basadas en los datos del archivo.
Configuraciones de acciones
| Parámetro | Valor |
| Crea entidades | Marcado |
| Regex de exclusión de entidades | En blanco |
| Solo EML original | Marcado |
| Entidades observadas creadas | Todos |
| Guardar el archivo adjunto en el muro de casos | Marcado |
| Entidades de Fang | Marcado |
| Regex de entidades personalizadas | En blanco |
Resultados de la acción
-
Resultado de secuencia de comandos
Nombre del resultado de la secuencia de comandos Opciones de valor Ejemplo ScriptResult Verdadero/Falso Verdadero -
Resultado de JSON
{"parsed_emails": [{"attached_emails": [{"attachments": [{"content_header": {"content-disposition": ["attachment; filename=\"attachment.txt\""], "content-transfer-encoding": ["base64"], "content-type": ["text/plain; name=\"attachment.txt\""]}, "extension": "txt", "filename": "attachment.txt", "hash": {"md5": "6529d73ba8183760ad174644e75684fe", "sha1": "dd88508cda7bcfc71ffdbc0e26afe97d3fb9a0b6", "sha256": "1f209f1560df8cb6e983dff99d7a7d2db8dc3e439226abd38ef34facdffd82ec", "sha512": "310d2df6f770dafdf4f84d9851e3fad011d4eb0c5a8af9a5f6d237fb733bca41d41ad6b00efdc 2b5c218207f1a1ac99339923d3c389368f0c1d2ba58e8e1893a"}, "level": 0, "mime_type": "ASCII text, with no line terminators", "mime_type_short": "text/plain", "ole_data": [{"description": "", "hide_if_false": true, "id": "ftype", "name": "File format", "risk": "info", "value": "Unknown file type"}, {"description": "Container type", "hide_if_false": true, "id": "container", "name": "Container format", "risk": "info", "value": "Unknown Container"}, {"description": "The file is not encrypted", "hide_if_false": false, "id": "encrypted", "name": "Encrypted", "risk": "none", "value": false}, {"description": "This file contains VBA macros. No suspicious keyword was found. Use olevba and mraptor for more info.", "hide_if_false": false, "id": "vba", "name": "VBA Macros", "risk": "Medium", "value": "Yes"}, {"description": "This file does not contain Excel 4/XLM macros.", "hide_if_false": false, "id": "xlm", "name": "XLM Macros", "risk": "none", "value": "No"}, {"description": "External relationships such as remote templates, remote OLE objects, etc", "hide_if_false": false, "id": "ext_rels", "name": "External Relationships", "risk": "none", "value": 0}, {"description": "Contains an ObjectPool stream, very likely to contain embedded OLE objects or files. Use oleobj to check it.", "hide_if_false": true, "id": "ObjectPool", "name": "ObjectPool", "risk": "none", "value": false}, {"description": "Number of embedded Flash objects (SWF files) detected in OLE streams. Not 100% accurate, there may be false positives.", "hide_if_false": true, "id": "flash", "name": "Flash objects", "risk": "none", "value": 0}], "size": 64}], "body": [{"content": "This is an HTML message. Please use an HTML capable mail program to read\nthis message.\n", "content_type": "text/plain", "hash": "f342fe66117848e74b7bbade740715d2bf9e0487b0386abdf54eb8f3371e9f33", "parsed_entities": []}, {"content": "<html>\n<head>\n<title>Testing Manuel Lemos' MIME E-mail composing and sending PHP class: HTML message</title>\n<style type=\"text/css\"><!--\nbody { color: black ; font-family: arial, helvetica, sans-serif ; background-color: #A3C5CC }\nA:link, A:visited, A:active { text-decoration: underline }\n--></style>\n</head>\n<body>\n<table background=\"cid:4c837ed463ad29c820668e835a270e8a.gif\" width=\"100%\">\n<tr>\n<td>\n<center><h1>Testing Manuel Lemos' MIME E-mail composing and sending PHP class: HTML message</h1></center>\n<hr>\n<P>Hello Manuel,<br><br>\nThis message is just to let you know that the <a href=\"http://www.phpclasses.org/mimemessage\">MIME E-mail message composing and sending PHP class</a> is working as expected.<br><br>\n<center><h2>Here is an image embedded in a message as a separate part:</h2></center>\n<center><img src=\"cid:ae0357e57f04b8347f7621662cb63855.gif\"></center>Thank you,<br>\nmlemos</p>\n</td>\n</tr>\n</table>\n</body>\n</html>", "content_type": "text/html", "hash": "976f0f71aa3bb9c03229231d456db63637713b156e7728e7297266b070cbb21e", "parsed_entities": [{"entity_type": "DestinationURL", "identifier": "http://www.phpclasses.org/mimemessage"}, {"entity_type": "DOMAIN", "identifier": "phpclasses.org"}]}], "header": {"bcc": [], "cc": [], "date": "2005-04-30T19:28:29-03:00", "delivered_to": [], "from": "mlemos@acm.org", "header": {"content-type": ["multipart/mixed; boundary=\"652b8c4dcb00cdcdda1e16af36781caf\""], "date": ["Sat, 30 Apr 2005 19:28:29 -0300"], "from": ["mlemos <mlemos@acm.org>"], "message-id": ["<20050430192829.0489.mlemos@acm.org>"], "mime-version": ["1.0"], "reply-to": ["mlemos <mlemos@acm.org>"], "return-path": ["<mlemos@acm.org>"], "sender": ["mlemos@acm.org"], "subject": ["Testing Manuel Lemos' MIME E-mail composing and sending PHP class: HTML message"], "to": ["Manuel Lemos <mlemos@linux.local>"], "x-mailer": ["http://www.phpclasses.org/mimemessage $Revision: 1.63 $ (mail)"]}, "parsed_entities": [], "received": [], "receiving": [], "reply_to": "mlemos@acm.org", "return_path": null, "sending": [], "subject": "Testing Manuel Lemos' MIME E-mail composing and sending PHP class: HTML message", "to": ["mlemos@linux.local"], "transport": null}, "level": 0, "source_file": "sample.eml"}], "attachment_id": 17, "attachment_name": "sample.eml", "attachments": [{"content_header": {"content-disposition": ["attachment; filename=\"attachment.txt\""], "content-transfer-encoding": ["base64"], "content-type": ["text/plain; name=\"attachment.txt\""]}, "extension": "txt", "filename": "attachment.txt", "hash": {"md5": "6529d73ba8183760ad174644e75684fe", "sha1": "dd88508cda7bcfc71ffdbc0e26afe97d3fb9a0b6", "sha256": "1f209f1560df8cb6e983dff99d7a7d2db8dc3e439226abd38ef34facdffd82ec", "sha512": "310d2df6f770dafdf4f84d9851e3fad011d4eb0c5a8af9a5f6d237fb733bca41d41ad6b00efdc 2b5c218207f1a1ac99339923d3c389368f0c1d2ba58e8e1893a"}, "level": 0, "mime_type": "ASCII text, with no line terminators", "mime_type_short": "text/plain", "ole_data": [{"description": "", "hide_if_false": true, "id": "ftype", "name": "File format", "risk": "info", "value": "Unknown file type"}, {"description": "Container type", "hide_if_false": true, "id": "container", "name": "Container format", "risk": "info", "value": "Unknown Container"}, {"description": "The file is not encrypted", "hide_if_false": false, "id": "encrypted", "name": "Encrypted", "risk": "none", "value": false}, {"description": "This file contains VBA macros. No suspicious keyword was found. Use olevba and mraptor for more info.", "hide_if_false": false, "id": "vba", "name": "VBA Macros", "risk": "Medium", "value": "Yes"}, {"description": "This file does not contain Excel 4/XLM macros.", "hide_if_false": false, "id": "xlm", "name": "XLM Macros", "risk": "none", "value": "No"}, {"description": "External relationships such as remote templates, remote OLE objects, etc", "hide_if_false": false, "id": "ext_rels", "name": "External Relationships", "risk": "none", "value": 0}, {"description": "Contains an ObjectPool stream, very likely to contain embedded OLE objects or files. Use oleobj to check it.", "hide_if_false": true, "id": "ObjectPool", "name": "ObjectPool", "risk": "none", "value": false}, {"description": "Number of embedded Flash objects (SWF files) detected in OLE streams. Not 100% accurate, there may be false positives.", "hide_if_false": true, "id": "flash", "name": "Flash objects", "risk": "none", "value": 0}], "size": 64}], "result": {"attachments": [{"content_header": {"content-disposition": ["attachment; filename=\"attachment.txt\""], "content-transfer-encoding": ["base64"], "content-type": ["text/plain; name=\"attachment.txt\""]}, "extension": "txt", "filename": "attachment.txt", "hash": {"md5": "6529d73ba8183760ad174644e75684fe", "sha1": "dd88508cda7bcfc71ffdbc0e26afe97d3fb9a0b6", "sha256": "1f209f1560df8cb6e983dff99d7a7d2db8dc3e439226abd38ef34facdffd82ec", "sha512": "310d2df6f770dafdf4f84d9851e3fad011d4eb0c5a8af9a5f6d237fb733bca41d41ad6b00efdc 2b5c218207f1a1ac99339923d3c389368f0c1d2ba58e8e1893a"}, "level": 0, "mime_type": "ASCII text, with no line terminators", "mime_type_short": "text/plain", "ole_data": [{"description": "", "hide_if_false": true, "id": "ftype", "name": "File format", "risk": "info", "value": "Unknown file type"}, {"description": "Container type", "hide_if_false": true, "id": "container", "name": "Container format", "risk": "info", "value": "Unknown Container"}, {"description": "The file is not encrypted", "hide_if_false": false, "id": "encrypted", "name": "Encrypted", "risk": "none", "value": false}, {"description": "This file contains VBA macros. No suspicious keyword was found. Use olevba and mraptor for more info.", "hide_if_false": false, "id": "vba", "name": "VBA Macros", "risk": "Medium", "value": "Yes"}, {"description": "This file does not contain Excel 4/XLM macros.", "hide_if_false": false, "id": "xlm", "name": "XLM Macros", "risk": "none", "value": "No"}, {"description": "External relationships such as remote templates, remote OLE objects, etc", "hide_if_false": false, "id": "ext_rels", "name": "External Relationships", "risk": "none", "value": 0}, {"description": "Contains an ObjectPool stream, very likely to contain embedded OLE objects or files. Use oleobj to check it.", "hide_if_false": true, "id": "ObjectPool", "name": "ObjectPool", "risk": "none", "value": false}, {"description": "Number of embedded Flash objects (SWF files) detected in OLE streams. Not 100% accurate, there may be false positives.", "hide_if_false": true, "id": "flash", "name": "Flash objects", "risk": "none", "value": 0}], "size": 64}], "body": [{"content": "This is an HTML message. Please use an HTML capable mail program to read\nthis message.\n", "content_type": "text/plain", "hash": "f342fe66117848e74b7bbade740715d2bf9e0487b0386abdf54eb8f3371e9f33", "parsed_entities": []}, {"content": "<html>\n<head>\n<title>Testing Manuel Lemos' MIME E-mail composing and sending PHP class: HTML message</title>\n<style type=\"text/css\"><!--\nbody { color: black ; font-family: arial, helvetica, sans-serif ; background-color: #A3C5CC }\nA:link, A:visited, A:active { text-decoration: underline }\n--></style>\n</head>\n<body>\n<table background=\"cid:4c837ed463ad29c820668e835a270e8a.gif\" width=\"100%\">\n<tr>\n<td>\n<center><h1>Testing Manuel Lemos' MIME E-mail composing and sending PHP class: HTML message</h1></center>\n<hr>\n<P>Hello Manuel,<br><br>\nThis message is just to let you know that the <a href=\"http://www.phpclasses.org/mimemessage\">MIME E-mail message composing and sending PHP class</a> is working as expected.<br><br>\n<center><h2>Here is an image embedded in a message as a separate part:</h2></center>\n<center><img src=\"cid:ae0357e57f04b8347f7621662cb63855.gif\"></center>Thank you,<br>\nmlemos</p>\n</td>\n</tr>\n</table>\n</body>\n</html>", "content_type": "text/html", "hash": "976f0f71aa3bb9c03229231d456db63637713b156e7728e7297266b070cbb21e", "parsed_entities": [{"entity_type": "DestinationURL", "identifier": "http://www.phpclasses.org/mimemessage"}, {"entity_type": "DOMAIN", "identifier": "phpclasses.org"}]}], "header": {"bcc": [], "cc": [], "date": "2005-04-30T19:28:29-03:00", "delivered_to": [], "from": "mlemos@acm.org", "header": {"content-type": ["multipart/mixed; boundary=\"652b8c4dcb00cdcdda1e16af36781caf\""], "date": ["Sat, 30 Apr 2005 19:28:29 -0300"], "from": ["mlemos <mlemos@acm.org>"], "message-id": ["<20050430192829.0489.mlemos@acm.org>"], "mime-version": ["1.0"], "reply-to": ["mlemos <mlemos@acm.org>"], "return-path": ["<mlemos@acm.org>"], "sender": ["mlemos@acm.org"], "subject": ["Testing Manuel Lemos' MIME E-mail composing and sending PHP class: HTML message"], "to": ["Manuel Lemos <mlemos@linux.local>"], "x-mailer": ["http://www.phpclasses.org/mimemessage $Revision: 1.63 $ (mail)"]}, "parsed_entities": [], "received": [], "receiving": [], "reply_to": "mlemos@acm.org", "return_path": null, "sending": [], "subject": "Testing Manuel Lemos' MIME E-mail composing and sending PHP class: HTML message", "to": ["mlemos@linux.local"], "transport": null}, "level": 0, "source_file": "sample.eml"}}] }
Analiza el objeto Blob Base64 de EML
Descripción
Decodifica una cadena en base64 y trata de analizarla como un archivo EML. Devolverá una lista de objetos analizados.
Parámetros
| Parámetro | Tipo | Valor predeterminado | Is Mandatory | Descripción |
| Objeto Blob de EML en Base64 | String | N/A | Sí | Especifica la cadena codificada en Base64 de un archivo EML. |
Ejemplo
En este ejemplo, pasamos una representación en base64 de un archivo de correo electrónico para analizar su contenido.
Configuraciones de acciones
| Parámetro | Valor |
| Entidades | Todas las entidades |
| Cadena Base64 de EML/MSG | |
Resultados de la acción
-
Resultado de secuencia de comandos
Nombre del resultado de la secuencia de comandos Opciones de valor Ejemplo ScriptResult Verdadero/Falso Verdadero -
Resultado de JSON
[{ "Entity": "test confirmation", "EntityResult": {"base64_blob": "RkNDOiBpbWFwOi8vcGlyby10ZXN0QG1haWwuY2xlYXItY29kZS5jb20vU2VudApYLUlkZW50aXR5LUtleTogaWQxCl gtQWNjb3VudC1LZXk6IGFjY291bnQxCkZyb206ICJwaXJvLXRlc3RAY2xlYXItY29kZS5jb20iIDxwaXJvLXRlc3RAY2xlYXItY29kZS5jb20+ClN1YmplY3Q6IHRlc3QgY29uZmlybWF0aW9uClRvOiBwaXJvLm91dHNpZGVyLnJlZmxleCsxQGdtYWlsLmNvbSwgcGlyby5vdXRzaWRlci5yZWZsZXgrMkBnbWFpbC5jb20sCiBtYWlsbWFzdGVyQGV4YW1wbGUuY29tLCBtYWlsbWFzdGVyQGV4YW1wbGUub3JnLCB3ZWJtYXN0ZXJAZXhhbXBsZS5jb20sCiB3ZWJtYXN0ZXJAZXhhbXBsZS5vcmcsIHdlYm1hc3RlckBleGFtcGxlLmpwLCBtYWlsbWFzdGVyQGV4YW1wbGUuanAKTWVzc2FnZS1JRDogPDA1YzE4NjIyLWYyYWQtY2I3Ny0yY2U5LWEwYmJmYzdkN2FkMEBjbGVhci1jb2RlLmNvbT4KRGF0ZTogVGh1LCAxNSBBdWcgMjAxOSAxNDo1NDozNyArMDkwMApYLU1vemlsbGEtRHJhZnQtSW5mbzogaW50ZXJuYWwvZHJhZnQ7IHZjYXJkPTA7IHJlY2VpcHQ9MDsgRFNOPTA7IHV1ZW5jb2RlPTA7CiBhdHRhY2htZW50cmVtaW5kZXI9MDsgZGVsaXZlcnlmb3JtYXQ9NApVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0OyBydjo2OS4wKSBHZWNrby8yMDEwMDEwMQogVGh1bmRlcmJpcmQvNjkuMApNSU1FLVZlcnNpb246IDEuMApDb250ZW50LVR5cGU6IG11bHRpcGFydC9taXhlZDsKIGJvdW5kYXJ5PSItLS0tLS0tLS0tLS0yNkE0NTMzNkY2QzYxOTZCRDhCQkEyQTIiCkNvbnRlbnQtTGFuZ3VhZ2U6IGVuLVVTCgpUaGlzIGlzIGEgbXVsdGktcGFydCBtZXNzYWdlIGluIE1JTUUgZm9ybWF0LgotLS0tLS0tLS0tLS0tLTI2QTQ1MzM2RjZDNjE5NkJEOEJCQTJBMgpDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9dXRmLTg7IGZvcm1hdD1mbG93ZWQKQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdAp0ZXN0dGVzdAp0ZXN0dGVzdAp0ZXN0dGVzdAp0ZXN0dGVzdAp0ZXN0dGVzdAp0ZXN0dGVzdAotLS0tLS0tLS0tLS0tLTI2QTQ1MzM2RjZDNjE5NkJEOEJCQTJBMgpDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9VVRGLTg7CiBuYW1lPSJzaGExaGFzaC50eHQiCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IGJhc2U2NApDb250ZW50LURpc3Bvc2l0aW9uOiBhdHRhY2htZW50OwogZmlsZW5hbWU9InNoYTFoYXNoLnR4dCIKTnpSak9HWXdPV1JtWVRNd1pXRmpZMlppTXpreVlqRXpNak14Tkdaak5tSTVOemhtTXpJMVlTQXFabXhsZUMxamIyNW1hWEp0CkxXMWhhV3d1TVM0eE1DNHdMbmh3YVFwalkyVmxOR0kwWVdFME4yWTFNVE5oWW1ObE16UXlZMlV4WlRKbFl6Sm1aRGsyTURCbApNekZpSUNwbWJHVjRMV052Ym1acGNtMHRiV0ZwYkM0eExqRXhMakF1ZUhCcENqQTNNV1U1WlRNM09HRmtNREUzT1dKbVlXUmkKTVdKa1l6WTFNR0UwT1RRMU5HUXlNRFJoT0RNZ0ttWnNaWGd0WTI5dVptbHliUzF0WVdsc0xqRXVNVEl1TUM1NGNHa0tPV1EzCllXRXhOVE0wTVRobFlUaG1ZbU00WW1VM1ltRTJaalUwWTJVNFlURmpZamRsWlRRMk9DQXFabXhsZUMxamIyNW1hWEp0TFcxaAphV3d1TVM0NUxqa3VlSEJwQ2pneE5qZzFOak5qWWpJM05tVmhOR1k1WVRKaU5qTXdZamxoTWpBM1pEa3dabUl4TVRnMU5tVWcKS21ac1pYZ3RZMjl1Wm1seWJTMXRZV2xzTG5od2FRbz0KLS0tLS0tLS0tLS0tLS0yNkE0NTMzNkY2QzYxOTZCRDhCQkEyQTIKQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9qc29uOwogbmFtZT0ibWFuaWZlc3QuanNvbiIKQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogYmFzZTY0CkNvbnRlbnQtRGlzcG9zaXRpb246IGF0dGFjaG1lbnQ7CiBmaWxlbmFtZT0ibWFuaWZlc3QuanNvbiIKZXdvZ0lDSnRZVzVwWm1WemRGOTJaWEp6YVc5dUlqb2dNaXdLSUNBaVlYQndiR2xqWVhScGIyNXpJam9nZXdvZ0lDQWdJbWRsClkydHZJam9nZXdvZ0lDQWdJQ0FpYVdRaU9pQWlabXhsZUdsaWJHVXRZMjl1Wm1seWJTMXRZV2xzUUdOc1pXRnlMV052WkdVdQpZMjl0SWl3S0lDQWdJQ0FnSW5OMGNtbGpkRjl0YVc1ZmRtVnljMmx2YmlJNklDSTJPQzR3SWdvZ0lDQWdmUW9nSUgwc0NpQWcKSW01aGJXVWlPaUFpUm14bGVDQkRiMjVtYVhKdElFMWhhV3dpTEFvZ0lDSmtaWE5qY21sd2RHbHZiaUk2SUNKRGIyNW1hWEp0CklHMWhhV3hoWkdSeVpYTnpJR0Z1WkNCaGRIUmhZMmh0Wlc1MGN5QmlZWE5sWkNCdmJpQm1iR1Y0YVdKc1pTQnlkV3hsY3k0aQpMQW9nSUNKMlpYSnphVzl1SWpvZ0lqSXVNQ0lzQ2dvZ0lDSnNaV2RoWTNraU9pQjdDaUFnSUNBaWRIbHdaU0k2SUNKNGRXd2kKTEFvZ0lDQWdJbTl3ZEdsdmJuTWlPaUI3Q2lBZ0lDQWdJQ0p3WVdkbElqb2dJbU5vY205dFpUb3ZMMk52Ym1acGNtMHRiV0ZwCmJDOWpiMjUwWlc1MEwzTmxkSFJwYm1jdWVIVnNJaXdLSUNBZ0lDQWdJbTl3Wlc1ZmFXNWZkR0ZpSWpvZ2RISjFaUW9nSUNBZwpmUW9nSUgwS2ZRPT0KLS0tLS0tLS0tLS0tLS0yNkE0NTMzNkY2QzYxOTZCRDhCQkEyQTItLQ==", "headers": [["FCC", "imap://piro-test@mail.clear-code.com/Sent"], ["X-Identity-Key", "id1"], ["X-Account-Key", "account1"], ["From", "\"test@example.com\"
¿Necesitas más ayuda? Obtén respuestas de miembros de la comunidad y profesionales de Google SecOps.