Email attachments are not copied into Security Incidents - Support and Troubleshooting

Email attachments are not copied into Security Incidents Issue  Issue Summary Email attachments are not copied into Security Incidents. The attachment is present in the record in the Security Email Event table, but it stops there and is not passed to the Security Incident

Most Probable Cause We have multiple OOB inbound actions that can create security incident via email and since each of them are active they are conflicting with each other. Solution Proposed In the system there are current three inbound actions that can create security incident, actually they are exclusive. 1) Create Security Incident : the oldest inbound action we have in place and it will match email subject/to so as to create a record in Security Incident, no email parsing inbox set needed 2) Record SecOps Email Events: the one that is used for event ingestion mostly, to parse an incoming email to create Security Email Event and hence transformed to security incident, attachment will stay at the security email event record. An email parsing inbox has to be set 3) User Reported Phishing: if setup with correct rule, it transforms email wth .eml as attachment to create security incident, it doesn't need the email parsing inbox to be set. If email parsing inbox is set and the incoming email matches it , it will be processed first and stop further processing. we found out that in the email logs we saw "Record SecOps Email Events" being ran and is causing the issue. After deactivating the inbound action I saw that the security incident is being created along with the attachment. Please use either one of those as per your requirement to work as expected and deactivate other inbound actions.