- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-04-2024 09:12 AM
We are using the EWS O365 integration to monitor an Exchange Online inbox. Any emails that hit the inbox get an incident created, and a Playbook handles things from there. This is working just fine but the problem I'm having is that it is ignoring calendar invite emails. Some phishing attempts we've seen come in as calendar invites, so I'd like to process them, but I don't see anything in the integration documentation about it. Is there a way to get these to import into XSOAR?
01-08-2024 08:51 AM
Hi @sackett
There are a few ways to do it. One way it in the integration instance configuration, you can specify a folder to monitor. You could organize emails that you want to create incidents for into a folder and other emails into another folder.
Another way is to create a pre-process rule to drop/close calendar invite emails incidents or any other email that you do not want to create incidents for.
01-08-2024 09:09 AM
In the integration instance configuration, we are specifying a folder to monitor. It successfully processes email messages fine. The problem I'm having is when a calendar invite "email" type shows up. The integration is not importing it into XSOAR for processing. I can go to the folder in the Mailbox we are monitoring and see the phishing calendar invite there but the incident never gets created.
01-08-2024 09:30 AM
Could you confirm you do not have a pre-process rule to drop calendar invite incidents?
Another place to look for is the classifier of the instance. it might not classifying calendar invites as the other incident type.
01-08-2024 09:50 AM
I looked at my pre-processing configuration, and I don't see any rules there, so that shouldn't be the issue.
I looked at the classifier info for the instance, and it looks unconfigured to me. I see a configuration at the bottom that says, "Direct unclassified events to: <Incident Type>." So, from my understanding of how this works, any items fetched by the instance should be treated as the same incident type regardless of what type of item it is. Right?
I'm new to XSOAR, so I may be missing something foundational/basic.
Thanks for trying to help!
01-08-2024 10:15 AM
When you say classifier is unconfigured, do you mean there is no classifier assigned to the instance?
If there is a classified, do you see anything under selected field? Do you see any incident types being assigned at the right side?
"Direct unclassified events to:" portion is for unassigned incident types only, so if you don't assigned the field to identity incident type, it will be assigned to whatever is selected there.
Another place I would check is fetch history for the instance. Microsoft integrations have detailed fetch history table to see what was fetched so I would check there. Another option is to go into your instance configuration and change Log Level to Verbose and check what the integration instance is running. This log will be included with other logs under Settings > About > Troubleshooting > Download Logs
01-08-2024 01:06 PM
Sorry for the confusion. There is a classifier configured on the instance. When I open up that classifier, I don't see anything configured. There are no entries under the various Incident Types list on the right, and everything on the left is just kind of blank. The only thing I see that seems configured is the "Direct unclassified events to:" area at the bottom. That setting has the Incident Type I want. Since I'm not specifying any fields to incident types, wouldn't all of them be considered unclassified?
I sent a test calendar invite to the mailbox with verbose logging enabled. When looking through the log, I see in the API response header that the invite is in the list but is never considered as a new item to be processed. Based on this info, I'd say the Content Pack is coded to ignore invites and process only emails. I see this pack is coded by XSOAR, how do I put in a request to get that feature added?
Thanks!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!