This workflow template automates the efficient management of email threat detection and case creation by continuously polling an Outlook mailbox for new messages. The EML files retrieved are thoroughly processed through nested workflows which extract content details and perform security checks to identify potential threats. Each email undergoes a comprehensive examination, where its URLs are inspected, defanged, and hostnames resolved for threat verification. Image attachments are scanned for QR codes adding further scrutiny. The culmination of these steps generates a detailed Torq case encompassing email header analysis, SPF/DKIM verification, HTML body screenshots, and attachment safety assessmentsâfacilitating an organized repository of email-based incident reports.
Use Cases
Case Management
Workflow Breakdown
Polls Outlook for new messages, passing EML files to a nested workflow for content gathering.
Enrichment/linking occurs before mapping to generate a Torq case with email/nested email info.
EML inspection resolves URL hostnames, provides verdicts, and defangs URLs for the Torq case.
Image attachments are checked for QR codes; findings and observables are added as case comments.
Torq case includes EML details, HTML header notes, SPF/DKIM verdicts, and an HTML body screenshot.
Vendors
Scripting, Utils, Microsoft Outlook, Microsoft 365, Torq, Torq Cases, Data Transformation
Tips