topic Re: Pulling Calendar Invites from Inbox - EWS O365 Integration in Cortex XSOAR Discussions

Pulling Calendar Invites from Inbox - EWS O365 Integration

sackett — Thu, 04 Jan 2024 17:12:42 GMT

We are using the EWS O365 integration to monitor an Exchange Online inbox. Any emails that hit the inbox get an incident created, and a Playbook handles things from there. This is working just fine but the problem I'm having is that it is ignoring calendar invite emails. Some phishing attempts we've seen come in as calendar invites, so I'd like to process them, but I don't see anything in the integration documentation about it. Is there a way to get these to import into XSOAR?

Re: Pulling Calendar Invites from Inbox - EWS O365 Integration

yuki_sato — Mon, 08 Jan 2024 16:51:45 GMT

Hi @sackett

There are a few ways to do it. One way it in the integration instance configuration, you can specify a folder to monitor. You could organize emails that you want to create incidents for into a folder and other emails into another folder.

Another way is to create a pre-process rule to drop/close calendar invite emails incidents or any other email that you do not want to create incidents for.

Re: Pulling Calendar Invites from Inbox - EWS O365 Integration

sackett — Mon, 08 Jan 2024 17:09:55 GMT

In the integration instance configuration, we are specifying a folder to monitor. It successfully processes email messages fine. The problem I'm having is when a calendar invite "email" type shows up. The integration is not importing it into XSOAR for processing. I can go to the folder in the Mailbox we are monitoring and see the phishing calendar invite there but the incident never gets created.

Re: Pulling Calendar Invites from Inbox - EWS O365 Integration

yuki_sato — Mon, 08 Jan 2024 17:30:57 GMT

Could you confirm you do not have a pre-process rule to drop calendar invite incidents?

Another place to look for is the classifier of the instance. it might not classifying calendar invites as the other incident type.

Re: Pulling Calendar Invites from Inbox - EWS O365 Integration

sackett — Mon, 08 Jan 2024 17:50:48 GMT

I looked at my pre-processing configuration, and I don't see any rules there, so that shouldn't be the issue.

I looked at the classifier info for the instance, and it looks unconfigured to me. I see a configuration at the bottom that says, "Direct unclassified events to: <Incident Type>." So, from my understanding of how this works, any items fetched by the instance should be treated as the same incident type regardless of what type of item it is. Right?

I'm new to XSOAR, so I may be missing something foundational/basic.

Thanks for trying to help!

Re: Pulling Calendar Invites from Inbox - EWS O365 Integration

yuki_sato — Mon, 08 Jan 2024 18:15:30 GMT

When you say classifier is unconfigured, do you mean there is no classifier assigned to the instance?

If there is a classified, do you see anything under selected field? Do you see any incident types being assigned at the right side?

"Direct unclassified events to:" portion is for unassigned incident types only, so if you don't assigned the field to identity incident type, it will be assigned to whatever is selected there.

Another place I would check is fetch history for the instance. Microsoft integrations have detailed fetch history table to see what was fetched so I would check there. Another option is to go into your instance configuration and change Log Level to Verbose and check what the integration instance is running. This log will be included with other logs under Settings > About > Troubleshooting > Download Logs

Re: Pulling Calendar Invites from Inbox - EWS O365 Integration

sackett — Mon, 08 Jan 2024 21:06:52 GMT

Sorry for the confusion. There is a classifier configured on the instance. When I open up that classifier, I don't see anything configured. There are no entries under the various Incident Types list on the right, and everything on the left is just kind of blank. The only thing I see that seems configured is the "Direct unclassified events to:" area at the bottom. That setting has the Incident Type I want. Since I'm not specifying any fields to incident types, wouldn't all of them be considered unclassified?

I sent a test calendar invite to the mailbox with verbose logging enabled. When looking through the log, I see in the API response header that the invite is in the list but is never considered as a new item to be processed. Based on this info, I'd say the Content Pack is coded to ignore invites and process only emails. I see this pack is coded by XSOAR, how do I put in a request to get that feature added?
Thanks!