Integration Office 365: Get mail reported by user

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Integration Office 365: Get mail reported by user

L1 Bithead

Hi,

 

one question about O365 integration. Maybe it's a O365 question, not a XSOAR one, but I'd like to know if I can do it with XSOAR.

I have an alert "Email reported by user as malware or phish" from Microsoft Graph Identity and Access integration. I have this data from the alert:

[{"aadUserId":null,"accountName":"xxxx.yyyy","domainName":"xxxxxx.com","emailRole":"unknown","isVpn":null,"logonDateTime":null,"logonId":null,"logonIp":null,"logonLocation":null,"logonType":null,"onPremisesSecurityIdentifier":null,"riskScore":null,"userAccountType":null,"userPrincipalName":"xxxxxx.yyyyyyy@xxxxxx.com"},{"aadUserId":null,"accountName":"Resilinc Partner Relations \xxxxxxx","domainName":"zzzzz.com\u003e","emailRole":"sender","isVpn":null,"logonDateTime":null,"logonId":null,"logonIp":"111.222.333.444","logonLocation":null,"logonType":null,"onPremisesSecurityIdentifier":null,"riskScore":null,"userAccountType":null,"userPrincipalName":"Resilinc Partner Relations \xxxxxxx@zzzzz.com\u003e"},{"aadUserId":null,"accountName":"xxxxxx.yyyyyyy","domainName":"xxxxxx.com","emailRole":"recipient","isVpn":null,"logonDateTime":null,"logonId":null,"logonIp":null,"logonLocation":null,"logonType":null,"onPremisesSecurityIdentifier":null,"riskScore":null,"userAccountType":null,"userPrincipalName":"xxxxxx.yyyyyyy@xxxxxx.com"}]

I need to get the original mail that the user reported as malicious, but from the alert I have not any message Id or similar.

I have searched using the from and to fields, but it's not the right query.

Do you know how can I get the source e-mail? I have browsed the MS documentation but found nothing, and I don't know all the commands for XSOAR, maybe you know "any trick"...

Thanks for your help!!

M.

1 ACCEPTED SOLUTION

Accepted Solutions

L1 Bithead

Hi all,

 

finally I did what I needed using MS Defender integration.

Using this integration, the incidentes fetched have the messageid and, using ews-search-mailbox with this messageid and the mailbox, i can get the message. I can also use the "Microsoft 365 Defender - Threat Hunting Generic" or "Get Original Email - EWS v2" Playbook to have more information or the message in EML format.

 

Office API and its integrations are, sometimes, difficult to manage and understand... 🙂

Regards!

M. 

View solution in original post

4 REPLIES 4

L1 Bithead

I'm not 100% sure, but I have strong doubts that the Graph integration / Microsoft SecurityCenter platform has this functionality. You can use the EWS O365 integration for this.

L1 Bithead

We set-up the report message add-in to send a duplicate in attachment to our phishing mailbox since you are unable to fetch an email that has been soft or hard deleted.

We use the Network Message ID from the alert to search the email in the phishing mailbox, extract the mail from attachment and process it as seen below:

1. ews-search-mailbox (EWSO365)

2. ews-get-attachment (EWSO365)

3. Process Email - Generic v2

image.png

L1 Bithead

Thanks for your help!! I've been a bit stuck researching this. The problem is that if I search the mailbox (with from-to-date filters), I can get several results, and I cannot be sure which mail has been involved in the alert.

 

I have been reading about the Hunting capacities in MS Defender addon (https://xsoar.pan.dev/docs/reference/integrations/microsoft-365-defender#microsoft-365-defender-adva...). I'll post anything if I get any result...

 

Regards.

M.

L1 Bithead

Hi all,

 

finally I did what I needed using MS Defender integration.

Using this integration, the incidentes fetched have the messageid and, using ews-search-mailbox with this messageid and the mailbox, i can get the message. I can also use the "Microsoft 365 Defender - Threat Hunting Generic" or "Get Original Email - EWS v2" Playbook to have more information or the message in EML format.

 

Office API and its integrations are, sometimes, difficult to manage and understand... 🙂

Regards!

M. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!