Using Automated Email Ingest
  • 21 Mar 2024
  • 2 Minutes to read
  • Dark
    Light

Using Automated Email Ingest

  • Dark
    Light

Article Summary

Overview

In addition to supporting manual importing of .eml and .msg files, ThreatConnect® allows you to set up phishing and feed mailboxes for automated ingestion of both Indicators and phishing emails. ThreatConnect will search for Indicators, automatically import them, and then associate these Indicators to an Email Group corresponding to the imported email.

Important
An Organization Administrator must create the phishing and feed mailboxes before you can use them.

Before You Start

Minimum Role(s)Organization role of Standard User
PrerequisitesAn .eml or .msg file

Feed Mailbox

  1. Copy the email address of the mailbox to be used.
    Important
    This email address will need to be created and supplied beforehand by an Organization Administrator. If you do not know the mailbox’s email address, contact an Organization Administrator. A System Administrator can rename the mailbox’s email address if desired (e.g., to make it more user friendly).
  2. Create a new email message in your email provider.
  3. Paste the email address in the To: field, and enter the Indicators you want ThreatConnect to ingest in the body of the email (Figure 1). Graphical user interface, text, application, email  Description automatically generated

     

  4. Once all information is entered, send the email.
    Important
    Remove any email signatures so that any email addresses or hostnames in the signature are not accidentally added as Indicators in ThreatConnect.
  5. If desired, you can navigate to the Browse screen to verify that the Indicators have been added to your Organization.

Phishing Mailbox

  1. Copy the email address of the mailbox to be used.
    Important
    This email address will need to be created and supplied beforehand by an Organization Administrator. If you do not know the mailbox’s email address, contact an Organization Administrator. A System Administrator can rename the mailbox’s email address if desired (e.g., to make it more user friendly).
  2. Create a new email message in your email provider.
  3. Paste the email address in the To: field, enter what you want to be the Email Group's name (Summary) in ThreatConnect as the subject line of the email, and add a phishing email as an .eml attachment (Figure 2). Graphical user interface, text, application, email  Description automatically generated

     

  4. Once all information is entered, send the email.
  5. Navigate to the Details screen for the new Email Group (Figure 3). Graphical user interface, application  Description automatically generated

     

  6. Click the UPDATE ANALYSIS button. The Import tab of the Import E-mail screen will be displayed (Figure 4). This screen displays the contents of the email and its header. Graphical user interface, text, application, email  Description automatically generated

     

  7. Click the Next button. The Score screen will be displayed (Figure 5). This screen displays a breakdown of how the total Score for the phishing email was calculated based on the email scoring rules configured on the E-mail Scoring tab of the System Settings screen. See the “Email-Scoring Rules” section of ThreatConnect System Administration Guide for more information. Graphical user interface, application, Teams  Description automatically generated

     

  8. Click the Next button. The Indicators screen will be displayed (Figure 6). Graphical user interface, text, application  Description automatically generated

     

  9. To add Indicators highlighted in the email header and body into ThreatConnect, hover over them and click the ADD INDICATOR button that is displayed, as demonstrated for the 72.255.12.30 Address Indicator in Figure 6. Indicators that are added will be displayed under the NEW heading on the Indicator List card (Figure 7).
    Important
    Indicators found in the email will be associated to the Email Group only if they exist in the Organization, Community, or Source to which the phishing mailbox belongs.
    Graphical user interface, text, application  Description automatically generated

     

  10. Click the Next button. The Confirm screen will be displayed (Figure 8). Graphical user interface, application  Description automatically generated

     

  11. Verify the data, and then click the SAVE button.

ThreatConnect® is a registered trademark of ThreatConnect, Inc.

20045-01 v.07.C


Was this article helpful?