cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1985
Views
5
Helpful
7
Replies

Error when using workflow 0010 - Phishing Investigation

nupagazi
Level 1
Level 1

Hello All,

When running the Phishing Investigation, I get following error at the block "For each attachment:

Failed to resolve variable reference '[$trigger.Phishing Mailbox.output.Attachments$]'

Does any one have this issue and how to fix it ?

Best Regards,

An

1 Accepted Solution

Accepted Solutions

Brian Sak
Cisco Employee
Cisco Employee

Hi An,

 

I was able to reproduce this error if I attempt to run the workflow manually rather than it being triggered by the 'Email Event'.  When an email arrives in the mailbox and is pulled down with IMAP the workflow should pull off the attachments and parse them. 

 

image.png

Ensure that your credentials and email event are setup and working first and it should process each submitted email automatically.

View solution in original post

7 Replies 7

Brian Sak
Cisco Employee
Cisco Employee

Hi An,

 

I was able to reproduce this error if I attempt to run the workflow manually rather than it being triggered by the 'Email Event'.  When an email arrives in the mailbox and is pulled down with IMAP the workflow should pull off the attachments and parse them. 

 

image.png

Ensure that your credentials and email event are setup and working first and it should process each submitted email automatically.

nupagazi
Level 1
Level 1

Hi Brian,

Yes, I just check and also find the same that the workflow was successful when email event is triggered and failed when i run manually. Thank you for pointing out.

Best Regards,

An

 

 

nupagazi
Level 1
Level 1

Hi Brian,

Would you please have a try that the workflow can investigate the attachment and provide the verdict for IOC in the attachment ? I put some IOC ( urls and IPs) in the attachment but it seems that the workflow can not investigate the IOC since two variables "Number of Clean observarable" and " Number of Malicious Observarable" always 0

Best Regards,

An

It's been working for me.  I send the attached email to the monitored inbox and it will find the the malicious domain that I added to trigger the alert.  It sends a two emails back to the submitter:

Hello!
The email you submitted for review with the subject "Fwd: Is it phishing?" is being processed.
While we investigate, please do not open or share the message. Once we determine whether or not the email is safe, we will get back to you.
Reference ID: 01U2ROQWS3V7H1Hchx7AFaNzIIUavCuWlai

and when the observables come back as malicious:

Hello!
The email you submitted for review with the subject "Get your free credit scores today with free trial" was found to be DANGEROUS!
Please do not open the message and delete it immediately!
Reference ID: 01U2ROQWS3V7H1Hchx7AFaNzIIUavCuWlai

Are you getting these messages returned to you via POP from the service?  You shouldn't have to look at the workflow itself to track the number of observables that are malicious. 

Hi Brian,

The attachment is also an email which has some IOCs in the body, is that right ?

I got  following message:

The email you submitted for review with the subject "please find attachment" is being processed.
While we investigate, please do not open or share the message. Once we determine whether or not the email is safe, we will get back to you.
Reference ID: 01U52F8DWWMC45jiMZhQwFT281NxVeuy2Fz
Best Regards, 

An

It is. The community platform wasn't accepting my sample as txt or eml file, so I zipped it up.  However if you use it, you'll have to unzip it first before you attach it.  This is the file I've been using for demonstration, but the malicious element is just a domain name included in a link.

Thank you so much !

An