Splunk SOAR

Replacement Characters appearing in emails sent from Splunk SMTP APP

TheGovernor21
Engager

My team uses playbooks to automate email alerts in Phantom. Some playbooks have been randomly sending emails with the replacement character (a black diamond with a white question mark). Other times the emails are working fine and have normal text. Has anyone had this issue in the past? If so, how did you resolve it? 

I was thinking of updating the Splunk SMTP App in Phantom.

Thanks for the help!

0 Karma

victor_menezes
Path Finder

It looks like you're sending HTML emails and that black diamont is basically charset mismatch between source and destination (the string send to the body VS the email server I mean), so in those emails you have that character displayed, that means the playbook got a string that has special encoded characters on that and it don't match the expected encoding from your mail server.

If you don't need HTML, just send it as text (send rawemail action).

If you do need HTML emails (send htmlemail action), try to change the encoding asset configuration flag to true/false depending if you are using unicode characters or not.

Finally you can also add the charset at the header of your HTML message body if you are for sure using HTML code in text.

Check that and see if you have any different behavior

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...