You can configure your Resilient platform to receive email from one or more email servers, such as a phishing threat service. You can then create a new incident based on an email message or associate an email message with an existing incident.

You can access the various components of an email, such as its attachments, headers, body of the message, and the To, From, and CC fields. For example, you can write a script to add header information as a note on the associated incident. You can add any attachments, whether inline in the email body or a separate file attachment, to the incident.

The following script is an example of associating an email with an existing incident, or creating a new incident if one does not exist.

# Attempt to look up an existing incident (name contains the string "ABC123") query_builder.contains(, "ABC123") query = incidents = helper.findIncidents(query) if len(incidents) > 0: # found it! associate the email message with that emailmessage.associateWithIncident(incidents[0]) else: # no match, so create a new incident (owned by the specified user) emailmessage.createAssociatedIncident("ABC123", "")