DOC-433 (#120)

AnneLaure1307 · web-flow · commit 92330b00a442 · 2026-03-18T16:42:26.000+01:00
* Improved email intake pages and added a tutorial

* Added permission

* Rendering checks
diff --git a/docs/thehive/administration/email-intake-connector/about-email-intake-connectors.md b/docs/thehive/administration/email-intake-connector/about-email-intake-connectors.md
@@ -2,40 +2,19 @@
 
 <!-- md:license Gold --> <!-- md:license Platinum -->
 
-Organizations that receive alert data by email can use email intake connectors to automate the creation of alerts in TheHive.
+Organizations that receive alert data by email can use email intake connectors to automate alert creation in TheHive.
 
 ## Usage
 
-Email intake connectors integrate mailboxes that receive alerts.
-
-It automatically processes incoming emails, extracts relevant information, and creates alerts within TheHive platform. The email itself, its sender, and any attached files are automatically added as observables within the respective alerts.
-
-!!! tip "Parsing emails"
-    The content of the email itself isn't automatically parsed when creating the alert. To enable observable extraction, a [notification](../../user-guides/organization/configure-organization/manage-notifications/create-a-notification.md) must trigger [a FilteredEvent](../../user-guides/organization/configure-organization/manage-notifications/write-filtered-event-trigger.md) that [runs the *EmlParser* analyzer](../../user-guides/organization/configure-organization/manage-notifications/notifiers/analyzers.md).
-
-    Below is an example of the FilteredEvent trigger:
-
-    ```json
-    {
-        "_and": [
-            {
-                "_is": {
-                    "action": "create"
-                }
-            },
-            {
-                "_is": {
-                    "objectType": "Observable"
-                }
-            },
-            {
-                "_is": {
-                    "object.alert.type": "email-intake"
-                }
-            }
-        ]
-    }
-    ```
+Email intake connectors automatically processes incoming emails and creates alerts in TheHive.
+
+Each alert includes the following observables:
+
+* The email file (`.eml`)
+* The sender's email address
+* Any file attachments
+
+The email body isn't parsed for observables by default. To extract them, run the *EmlParser* analyzer manually, or [automate extraction using a notification](../../user-guides/automate-extraction-observables-from-emails.md).
 
 ## Data mapping
 
@@ -89,4 +68,5 @@ Only users with an admin-type profile that has the `managePlatform` permission c
 
 * [Connect a Mailbox](connect-a-mailbox.md)
 * [Delete a Mailbox](delete-a-mailbox-connection.md)
-* [Manually Trigger Email Fetch in a Mailbox](fetch-emails.md)
+* [Manually Trigger Email Fetch in a Mailbox](fetch-emails.md)
+* [Automate Extraction of Observables from Emails](../../user-guides/automate-extraction-observables-from-emails.md)
diff --git a/docs/thehive/administration/email-intake-connector/connect-a-mailbox.md b/docs/thehive/administration/email-intake-connector/connect-a-mailbox.md
@@ -499,4 +499,5 @@ Connect a [mailbox](about-email-intake-connectors.md) if your organization recei
 <h2>Next steps</h2>
 
 * [Delete a Mailbox Connection](delete-a-mailbox-connection.md)
-* [Manually Trigger Email Fetch in a Mailbox](fetch-emails.md)
+* [Manually Trigger Email Fetch in a Mailbox](fetch-emails.md)
+* [Automate Extraction of Observables from Emails](../../user-guides/automate-extraction-observables-from-emails.md)
diff --git a/docs/thehive/administration/email-intake-connector/fetch-emails.md b/docs/thehive/administration/email-intake-connector/fetch-emails.md
@@ -19,4 +19,5 @@ Manually trigger email fetch in a [mailbox](about-email-intake-connectors.md) in
 <h2>Next steps</h2>
 
 * [Connect a Mailbox](connect-a-mailbox.md)
-* [Delete a Mailbox](delete-a-mailbox-connection.md)
+* [Delete a Mailbox](delete-a-mailbox-connection.md)
+* [Automate Extraction of Observables from Emails](../../user-guides/automate-extraction-observables-from-emails.md)
diff --git a/docs/thehive/user-guides/automate-extraction-observables-from-emails.md b/docs/thehive/user-guides/automate-extraction-observables-from-emails.md
@@ -0,0 +1,69 @@
+# Tutorial: Automate Extraction of Observables from Emails
+
+<!-- md:permission `manageConfig` --> <!-- md:license Gold --> <!-- md:license Platinum -->
+
+When an [email intake connector](../administration/email-intake-connector/about-email-intake-connectors.md) processes an incoming email, it creates an alert in TheHive with several observables, including the email file itself. However, the email body isn't parsed for observables by default—you need to run the *EmlParser* analyzer to extract them.
+
+In this tutorial, we're going to set up an automation in TheHive that runs the *EmlParser* analyzer automatically each time an email intake alert is created.
+
+!!! warning "Prerequisites"
+    This tutorial assumes you've already [configured an email intake connector](../administration/email-intake-connector/connect-a-mailbox.md) for your TheHive instance.
+
+By the end, you'll have a working configuration that:
+
+* Detects when an observable is created from an email intake connector alert
+* Automatically runs the *EmlParser* analyzer to extract observables from the email body
+
+This eliminates the need to manually run the analyzer for each email alert.
+
+## Step 1: Create a notification triggered by email intake alerts
+
+1. {% include-markdown "includes/organization-view-go-to.md" %}
+
+2. {% include-markdown "includes/notifications-tab-go-to.md" %}
+
+3. Select :fontawesome-solid-plus:.
+
+4. In the **Add notification** drawer, enter the name of the notification: `EmailObservableExtractionNotification`
+
+5. Select the *FilteredEvent* trigger.
+
+6. Enter the following custom filter to match observable creation events from email intake alerts:
+
+    ```json
+    {
+        "_and": [
+            {
+                "_is": {
+                    "action": "create"
+                }
+            },
+            {
+                "_is": {
+                    "objectType": "Observable"
+                }
+            },
+            {
+                "_is": {
+                    "object.alert.type": "email-intake"
+                }
+            }
+        ]
+    }
+    ```
+
+## Step 2: Configure a *RunAnalyzer* notifier
+
+1. In your current notification, select the [*RunAnalyzer* notifier](./organization/configure-organization/manage-notifications/notifiers/analyzers.md).
+
+2. In the **RunAnalyzer** drawer, select **EmlParser**.
+
+3. Select **Confirm**.
+
+That's it—every time a new email intake observable is created, TheHive will automatically run the *EmlParser* analyzer to extract observables from the email content.
+
+<h2>Next steps</h2>
+
+* [About Email Intake Connectors](../administration/email-intake-connector/about-email-intake-connectors.md)
+* [Connect a Mailbox](../administration/email-intake-connector/connect-a-mailbox.md)
+* [Manually Trigger Email Fetch in a Mailbox](../administration/email-intake-connector/fetch-emails.md)
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -698,6 +698,7 @@ nav:
       - 'Automation Hacks':
         - 'Tutorial: Automate Tracking of Pending Alerts': thehive/user-guides/automate-tracking-pending-alerts.md
         - 'Tutorial: Automate Monitoring of Tasks Approaching Their Due Date': thehive/user-guides/automate-monitoring-tasks-approaching-due-date.md
+        - 'Tutorial: Automate Extraction of Observables from Emails': thehive/user-guides/automate-extraction-observables-from-emails.md
       - 'Analyst Corner':
         - 'Alerts Management':
           - 'About Alerts': thehive/user-guides/analyst-corner/alerts/about-alerts.md
