Trying to implement one of the workflows from the Phishing tackle box…
In the first step one of nested objects is {{[“New Message”].[icon_email].[attached_emails]}}
I’m attempting to extract data from the nested object but haven’t been successful. Not sure what i’m doing wrong at this point. Referencing the following
{{[“New Message”].[icon_email].[attached_emails].[subject]}}
I’ve viewed the output of this workflow and there is info in the subject key of the attached_emails object…
Any ideas?
Is attached_emails a single object? The plural name emails makes me think it’s an an array of objects. In that case, I’d expect you’d need to iterate over or select a member of the array.
If you don’t want to loop, try {{[“New Message”].[icon_email].[attached_emails].[0].[subject]}}
Thank you @brandon_mcclure - I should have provided some practical advice.
@joe_delavalle, using [0] as a selector is really useful since you often want the first member of the array. Bear in mind that if you don’t know which member of the array you are interested in, you’ll need to consider all of them and take action conditionally.
Interested to know more about what you want to achieve here. Will try to help.
Hi Joe, just going off of what Adam and Brandon had said, it’s likely that the “{[“New Message”].[icon_email].[attached_emails]}}” object is a list/array of objects, so you would need to iterate over the it with a loop step or select a specify an email in the array by doing what Brandon suggested, where an index is provided “{{[“New Message”].[icon_email].[attached_emails].[INDEXHERE].[subject]}}”.
Note: The index starts from 0, so if you wanted just the first email, you would use Brandon’s example (or if you’re just expecting one email).
edit: beat me to it Adam!
@joe_delavalle Do you know they name of the workflow, I can take a look at it and see what the issue is and see if we need to update something within the workflow.
Thanks to everyone who chimed in…
I already tried Brandon’s suggestion a few times and specified the first member but there was no output.
I was able to use a loop function to iterate through and select the keys i want… So that part has been resolved however when I output the value {{[“loop1”].[subject]}} it is including square brackets and quotes in the output…
Also, some of the characters are being output in unicode ie < = \u003c.
When I look at the job output for body it seems fine (no unicode) but posting to teams channel is the problem
loop output - “<!DOCTYPE html PUBLIC "
add object to artifact and post to teams - [”\u003c!DOCTYPE html PUBLIC "
Any ideas?
It’s because the output is an array, you would need to do{{[“loop1”].[subject].[0]}} to remove the brackets/quotes.
@joe_delavalle I am wondering if there is an issue with the workflow and something needs changed. Do you know the name of the workflow you are using from the library?
Hi Michael.
Ahh that makes sense I will try that shortly!
Thanks, I will take a look at the workflow.
Looking at this now {{[“New Message”].[icon_email].[attached_emails]}} is an array for any emails attached to the reported email. I don’t believe you can parse through them using something like {{[“New Message”].[icon_email].[attached_emails].[0].[subject]}}.
When I was a customer the way our workflow worked was we received a phishing email and the subject would come across as “Potential Phish: Malicious Email Subject”. Using {{[“New Message”].[icon_email].[subject]}} would return that subject line.
If I just wanted the subject line “Malicious Email Subject” that would come from running the attached email through a loop to do the analysis process on it as everyone has said.
That is what we do, we use the submit phishing button in Outlook and that sends our mailbox an email with the original attached to it. Even though there is only one attached email, we still use a loop to process it that keeps all our data relative. Also, you may want to use the flatten option because it is easier to parse through them