-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathautomation-BuildEWSQuery.yml
87 lines (78 loc) · 2.63 KB
/
automation-BuildEWSQuery.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
args:
- default: true
description: The value of the email's "From" attribute.
name: from
- description: The value of the email's "Subject" attribute.
name: subject
- description: The value of the email's "attachmentName" attribute.
name: attachmentName
- description: The value of the email's "Body" attribute.
name: body
- auto: PREDEFINED
defaultValue: "true"
description: Limit the search to the current week (true/false).
name: searchThisWeek
predefined:
- "true"
- "false"
- auto: PREDEFINED
defaultValue: "true"
description: Removes the prefix from the subject of reply and forward messages (e.g.,
FW:).
name: stripSubject
predefined:
- "true"
- "false"
comment: Returns an EWS query according to the automation's arguments.
commonfields:
id: BuildEWSQuery
version: -1
name: BuildEWSQuery
outputs:
- contextPath: EWS.Query
description: The result query
type: string
runonce: false
script: |-
import re
import sys
reload(sys)
sys.setdefaultencoding("utf-8")
# Regex for removing forward/replay prefixes
p = re.compile('([\[\(] *)?(RE|FWD?) *([-:;)\]][ :;\])-]*|$)|\]+ *$', re.IGNORECASE)
args = {}
if demisto.args().get("from"):
args["From"] = demisto.args().get("from")
if demisto.args().get("subject"):
args["Subject"] = demisto.args().get("subject")
if demisto.args().get("attachmentName"):
args["Attachment"] = demisto.args().get("attachmentName")
if demisto.args().get("body"):
args["Body"] = demisto.args().get("body")
stripSubject = True if demisto.args().get("stripSubject").lower() == "true" else False
if stripSubject and args.get("Subject"):
# Recursively remove the regex matches only from the beginning of the string
match_string = args["Subject"]
location_match = p.match(match_string)
location = location_match.start() if location_match else -1
while(location==0 and match_string):
match_string = p.sub("",match_string,1)
location_match = p.match(match_string)
location = location_match.start() if location_match else -1
args["Subject"] = match_string
query = " AND ".join('{0}:"{1}"'.format(key,value) for (key,value) in args.items())
search_last_week = True if demisto.args().get("searchThisWeek").lower() == "true" else False
if search_last_week:
query = query + ' AND Received:"this week"'
demisto.results({
'ContentsFormat': formats["json"],
'Type': entryTypes["note"],
'Contents': {"EWS":{"Query": query or ' '}},
"HumanReadable": query or ' ',
"EntryContext": {"EWS":{"Query": query or ' '}}
});
scripttarget: 0
system: true
tags:
- ews
type: python