[Improvement] FileInfo should include actual attachments in the report

[xeaon]

Request Type

Feature / Improvement

Description

Since extracting file observables from reports was implemented in TheHive-Project/TheHive#982 (i still can't wrap my head around how I'm supposed build the report that TheHive picks the file due to lack of knowledge and documentation) it would be extremely useful, if the FileInfo Analyzer would this, especially in the Outlook submodule.

Example workflow after Improvement

1. upload any malspam.msg which includes a malicious .doc and analyze with FileInfo
2. import malicious .doc attachment provided in the report as file observable
3. scan attachment to gain more insight real quick

If you could point me to the right direction, for example how a report has to look like to trigger TheHive to pick up file observables, I'd try to implement this improvement by myself and create a pull request.

[dadokkio]

Some wip [not yet fully functional] from sample email:

[xeaon]

Thank you for your efforts so far! Let me know if I can help in any way.

[garanews]

@xeaon merged in devel with #915
It needs latest cortexutils v 2.1.0

[v1p3r0u5]

@dadokkio Exactly what I'm looking for. Any chances that this will also be merged into TH4 soon?
Many thanks for your effort. Highly appreciated.

[xeaon]

@xeaon merged in devel with #915
It needs latest cortexutils v 2.1.0

Thank you and sry for the late response. I'll give it a try!