Get Email MTA Path

Gets email MTA path from raw email data

Implementation	System
Command Category	Cyber Utility
Tags	EMAIL ARTIFACT

Inputs

Parameter Name

Required/Optional

Description

Sample Data

Raw Email Data

Optional

Raw data of an email

MIME-Version: 1.0

Received: from user01@example.com 2603:10b6:a03:1a0::47 by 2002:a19:4845:0:0:0:0:0 with HTTP; Thu, 28 May 2020 12:19:28 -0700 (PDT)

From: user01 <user01@example.com>

Date: Thu, 28 May 2020 12:19:28 -0700

Message-ID: <CAGwkv9ENZvxxcXkFJurBC7rjSRzhuziWPNi45kowY89ZMwDpqg@mail.gmail.com>

Subject: Test Send Email

To: user09 <user09@example.com>

Content-Type: multipart/alternative; boundary="0000000000001d2c8705a6ba354a"

Hello everyone,

This is a test email

Output

Key Fields

Important key-value pairs extracted from Raw Data.

SAMPLE DATA

JSON

[
    "user01@example.com 2603:10b6:a03:1a0::47"
]

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

SAMPLE DATA

JSON

Succeed

Context Data

The response data from the utility command.

SAMPLE DATA

JSON

{
    "MTAs": [
        "user01@example.com 2603:10b6:a03:1a0::47"
    ]
}

Remote Command API

The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.

Request

POST

CODE

https:/{base_url}/{api_namespace}/api/Command/GetMTAPath

Headers

Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.

Request Body

JSON

{
  "Username": <Username here>,
  "Site": <Site here>,
  "CommandParams": {
    "Raw Email Data": <Raw Email Data here>
  }
}

Body Parameters

Parameter Name	Type	Required/Optional	Description
Username	`String`	Required	The username of your D3 SOAR account.
Site	`String`	Required	The D3 SOAR site to run the remote command.
Raw Email Data	`Text`	Optional	Raw data of an email

Sample Request

SAMPLE DATA

JSON

{
  "Username": "Admin",
  "Site": "Security Operations",
  "CommandParams": {
    "Raw Email Data": "MIME-Version: 1.0\r\nReceived: from user01@example.com 2603:10b6:a03:1a0::47 by 2002:a19:4845:0:0:0:0:0 with HTTP; Thu, 28 May 2020 12:19:28 -0700 (PDT)\r\nFrom: user01 \r\nDate: Thu, 28 May 2020 12:19:28 -0700\r\nMessage-ID: \r\nSubject: Test Send Email\r\nTo: user09 \r\nContent-Type: multipart/alternative; boundary=\"0000000000001d2c8705a6ba354a\"\r\n\r\nHello everyone,\r\nThis is a test email"
  }
}

Response

Response Fields

Field Name	Type	Description
error	`Text`	The error message if the API request has failed.
keyFields	`Text Array`	The key fields from the API request.
returnData	`Text`	The return data from the API request.
contextData	`JSON Object`	The context data from the API request.

Sample Response

JSON

{
    "error": "",
    "keyFields": {
        "MTAs": ["user01@example.com 2603:10b6:a03:1a0::47"]
    },
    "returnData": "Succeed",
    "contextData": {
        "MTAs": [
            "user01@example.com 2603:10b6:a03:1a0::47"
        ]
    }
}