https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/xsoar-file-issue/m-p/595062#M3528 <P data-unlink="true">We do something similar with our phishing playbook when an email is legitimate or known good.<BR />The attachment we send back is the one which was received in the original incident. We use the incident EntryID which looks like "4@ 12345"&nbsp;as shown in this screenshot.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Attachment IDs 2.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/61555i9A6741664D2988F9/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Attachment IDs 2.png" alt="Attachment IDs 2.png" /></span></P> <P>Then, in our send-mail command, using EWSO365, we reference the EntryID as the attachID. See screenshot below for details. Redacted items are not relevant to the issue at hand.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Attachment IDs 1.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/61556iC6EABDBA988BDE4D/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Attachment IDs 1.png" alt="Attachment IDs 1.png" /></span></P> <P>As noted in the reference docs for the EWS O365 integration, the attachID in the send-mail command must reference a war room entry, not the Exchange attachment-ids. (<A href="https://xsoar.pan.dev/docs/reference/integrations/ewso365#19-send-an-email" target="_blank">https://xsoar.pan.dev/docs/reference/integrations/ewso365#19-send-an-email</A>)</P> <P><BR />To first get the attachment, if it's not already part of your incident, you would need to run the "ews-get-attachment" command with attachment-ids you referenced in your post, then use the EntryID from that command as an input in your send-mail command. (<A href="https://xsoar.pan.dev/docs/reference/integrations/ewso365#1-get-the-attachments-of-an-item" target="_blank">https://xsoar.pan.dev/docs/reference/integrations/ewso365#1-get-the-attachments-of-an-item</A>)</P> <P>&nbsp;</P> <P>Hope that helps!</P> Thu, 15 Aug 2024 22:44:28 GMT cmcneil 2024-08-15T22:44:28Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/xsoar-file-issue/m-p/592853#M3494 <P><SPAN>Hi All,</SPAN></P> <P><SPAN>I tried to send an attachment using the attachment ID in Exchange Web Services (EWS) for Office 365, and I was also able to see the entry ID of the file in context object. However, the structure of the entry ID is different from the standard format. I created a ZIP file from a text file and uploaded it to the context, but I'm facing an issue. Do you have any suggestions or solutions to help me with this? Please check attached pictures</SPAN></P> <P>&nbsp;</P> <P><SPAN><LI-PRODUCT title="Cortex XSOAR" id="Cortex_XSOAR"></LI-PRODUCT>&nbsp;</SPAN></P> Wed, 24 Jul 2024 04:50:02 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/xsoar-file-issue/m-p/592853#M3494 Syedhkt 2024-07-24T04:50:02Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/xsoar-file-issue/m-p/595062#M3528 <P data-unlink="true">We do something similar with our phishing playbook when an email is legitimate or known good.<BR />The attachment we send back is the one which was received in the original incident. We use the incident EntryID which looks like "4@ 12345"&nbsp;as shown in this screenshot.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Attachment IDs 2.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/61555i9A6741664D2988F9/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Attachment IDs 2.png" alt="Attachment IDs 2.png" /></span></P> <P>Then, in our send-mail command, using EWSO365, we reference the EntryID as the attachID. See screenshot below for details. Redacted items are not relevant to the issue at hand.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Attachment IDs 1.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/61556iC6EABDBA988BDE4D/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Attachment IDs 1.png" alt="Attachment IDs 1.png" /></span></P> <P>As noted in the reference docs for the EWS O365 integration, the attachID in the send-mail command must reference a war room entry, not the Exchange attachment-ids. (<A href="https://xsoar.pan.dev/docs/reference/integrations/ewso365#19-send-an-email" target="_blank">https://xsoar.pan.dev/docs/reference/integrations/ewso365#19-send-an-email</A>)</P> <P><BR />To first get the attachment, if it's not already part of your incident, you would need to run the "ews-get-attachment" command with attachment-ids you referenced in your post, then use the EntryID from that command as an input in your send-mail command. (<A href="https://xsoar.pan.dev/docs/reference/integrations/ewso365#1-get-the-attachments-of-an-item" target="_blank">https://xsoar.pan.dev/docs/reference/integrations/ewso365#1-get-the-attachments-of-an-item</A>)</P> <P>&nbsp;</P> <P>Hope that helps!</P> Thu, 15 Aug 2024 22:44:28 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/xsoar-file-issue/m-p/595062#M3528 cmcneil 2024-08-15T22:44:28Z