topic Re: XSOAR blacklisting O365 senders in Cortex XSOAR Discussions

XSOAR blacklisting O365 senders

Sergio_Gonzalez — Fri, 06 Nov 2020 13:02:54 GMT

Hello guys,

When analyzing a phishing case, I would like to block a sender for all the company. I've read in the Microsoft doc and they say you can do it by creating a blacklist. I've not been able to find it in XSOAR.

Is there a way of doing that?

Kind Regards.

Re: XSOAR blacklisting O365 senders

dbaumstein — Wed, 18 Nov 2020 06:50:59 GMT

Hello Sergio

Are you are referring to the EWS O365 integration?

Does the doc you are referring to provide the API call in order to create the blacklist?

Best regards

Re: XSOAR blacklisting O365 senders

Sergio_Gonzalez — Thu, 19 Nov 2020 10:51:27 GMT

Hello thanks for the response.

Yes I've seen the 0365 doc (https://docs.microsoft.com/en-US/microsoft-365/security/office-365-security/create-block-sender-lists-in-office-365?view=o365-worldwide) and I've seen that is possible to do, but I don't know if there is something already coded in XSOAR or should I duplicate the integration and figure out how to do this part, seems kind of tricky.

Re: XSOAR blacklisting O365 senders

GShriki — Thu, 19 Nov 2020 16:45:15 GMT

Looking on the EWS v2 integration, I do not see the option to create or modify a blacklist.

You can file in a feature request at https://xsoar.ideas.aha.io/ so our engineering team can see if this can be added.

Gilad

Re: XSOAR blacklisting O365 senders

jgomes — Thu, 19 Nov 2020 17:45:03 GMT

Hi Sergio,

My understanding (unless changed recently) is the Microsoft Web based API still does not support updating the global O365 email sender block lists - as seen in the Admin Centre UI. This can be done via Mail transport rules API, but is only available via Power Shell module e.g. ExchangeOnlineManagement

XSOAR supports Powershell Core on Linux. The is a few Power shell docker images in Demisto/XSOAR Docker Hub (e.g.

demisto/powershell-ubuntu:7.0.3.12001). However non of these have the ExchangeOnlineManagement pre-installed. So a custom Docker image required.

Microsoft has a docket container registry and powershell image e.g. mcr.microsoft.com/powershell - however this also does not have the module installed (I just checked). So needs some docker customizations - or see workaround below.

So I think your options are:

1/ Manual task to have analyst login Exchange Online Admin centre and add the email/s manully.

2/ Run Custom Linux Docker for Powershell with the right modules loaded, and run a pre-tested script

3/ Run Windows Engine (with modules installed) and with custom automation to run your own powershell .ps scripts on engine.

3/ Use 'remote' SSH shell command use case to any windows to run dynamic BAT/Powershell scripts. Messing, but the benefit is service Authentication can be done in a way that Domain connected device is trusted and doesn't need to stor credentials to disk.

e script credentials.

My suggestion to try is:

1/ Create new docker based on powershell e.g.

/docker_image_create base=demisto/powershell-ubuntu:7.0.3.12001 name=new_powershell

demisto/powershell-ubuntu:7.0.3.12001

2/ In you Automation script - add 'Import-Module ExchangeOnlineManagement' at top of script. This will import module before running the rest of script. Also is invoked every time new docker in spawned (added only a couple seconds delay)

3/ The of the script is tricky. You should to build your power shell credentials object from a password variable from XSOAR Vault. You will also need to write script, or have an account, that does not use MFA. Microsoft has articles on this.

e.g.

Import-Module ExchangeOnlineManagement

$User = "Domain01\ServiceAccount01" or "srvacc01@home.com"

$password = <from XSOAR key vault>

$PWord = ConvertTo-SecureString -String "P@sSwOrd" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $PWord

Connect-ExchangeOnline -UserPrincipalName <name> -ShowProgress $false .... etc...

When selecting 'new' Automation and selecting Powershell (instead of default Python) - this will give you example on how to handle powershell object rendering to war room etc. Powershell $demisto namespace is the same as python I think e.g. like 'set' context etc.

Good luck!..

Re: XSOAR blacklisting O365 senders

jgomes — Thu, 19 Nov 2020 17:59:22 GMT

oops, someone just highlighted a typo in my suggestions:

To install module from script:

Install-Module -Name ExchangeOnlineManagement

Re: XSOAR blacklisting O365 senders

aazadaliyev — Thu, 19 Nov 2020 21:46:23 GMT

We have it on our roadmap to release new integration in PowerShell that will allow to block senders globally.
It should be release by the end of this quarter.

Re: XSOAR blacklisting O365 senders

Sergio_Gonzalez — Fri, 20 Nov 2020 08:59:42 GMT

Hello,

In relation with that I suppose that this new integration will work in a way of when I block a sender, it affects to all the company right?

KR.

Re: XSOAR blacklisting O365 senders

Sergio_Gonzalez — Fri, 20 Nov 2020 09:00:26 GMT

Thank you very much for the response. I will try to test it and see if it works!

Kind Regards.

Re: XSOAR blacklisting O365 senders

aazadaliyev — Sat, 21 Nov 2020 08:25:23 GMT

correct