11-19-2020 09:45 AM
Hi Sergio,
My understanding (unless changed recently) is the Microsoft Web based API still does not support updating the global O365 email sender block lists - as seen in the Admin Centre UI. This can be done via Mail transport rules API, but is only available via Power Shell module e.g. ExchangeOnlineManagement
XSOAR supports Powershell Core on Linux. The is a few Power shell docker images in Demisto/XSOAR Docker Hub (e.g.
demisto/powershell-ubuntu:7.0.3.12001). However non of these have the ExchangeOnlineManagement pre-installed. So a custom Docker image required.
Microsoft has a docket container registry and powershell image e.g. mcr.microsoft.com/powershell - however this also does not have the module installed (I just checked). So needs some docker customizations - or see workaround below.
So I think your options are:
1/ Manual task to have analyst login Exchange Online Admin centre and add the email/s manully.
2/ Run Custom Linux Docker for Powershell with the right modules loaded, and run a pre-tested script
3/ Run Windows Engine (with modules installed) and with custom automation to run your own powershell .ps scripts on engine.
3/ Use 'remote' SSH shell command use case to any windows to run dynamic BAT/Powershell scripts. Messing, but the benefit is service Authentication can be done in a way that Domain connected device is trusted and doesn't need to stor credentials to disk.
e script credentials.
My suggestion to try is:
1/ Create new docker based on powershell e.g.
/docker_image_create base=demisto/powershell-ubuntu:7.0.3.12001 name=new_powershell
demisto/powershell-ubuntu:7.0.3.12001
2/ In you Automation script - add 'Import-Module ExchangeOnlineManagement' at top of script. This will import module before running the rest of script. Also is invoked every time new docker in spawned (added only a couple seconds delay)
3/ The of the script is tricky. You should to build your power shell credentials object from a password variable from XSOAR Vault. You will also need to write script, or have an account, that does not use MFA. Microsoft has articles on this.
e.g.
Import-Module ExchangeOnlineManagement
$User = "Domain01\ServiceAccount01" or "srvacc01@home.com"
$password = <from XSOAR key vault>
$PWord = ConvertTo-SecureString -String "P@sSwOrd" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $PWord
Connect-ExchangeOnline -UserPrincipalName <name> -ShowProgress $false .... etc...
When selecting 'new' Automation and selecting Powershell (instead of default Python) - this will give you example on how to handle powershell object rendering to war room etc. Powershell $demisto namespace is the same as python I think e.g. like 'set' context etc.
Good luck!..
11-17-2020 10:50 PM
Hello Sergio
Are you are referring to the EWS O365 integration?
Does the doc you are referring to provide the API call in order to create the blacklist?
Best regards
11-19-2020 02:51 AM
Hello thanks for the response.
Yes I've seen the 0365 doc (https://docs.microsoft.com/en-US/microsoft-365/security/office-365-security/create-block-sender-list...) and I've seen that is possible to do, but I don't know if there is something already coded in XSOAR or should I duplicate the integration and figure out how to do this part, seems kind of tricky.
KR
11-19-2020 08:45 AM
Looking on the EWS v2 integration, I do not see the option to create or modify a blacklist.
You can file in a feature request at https://xsoar.ideas.aha.io/ so our engineering team can see if this can be added.
Gilad
11-19-2020 09:45 AM
Hi Sergio,
My understanding (unless changed recently) is the Microsoft Web based API still does not support updating the global O365 email sender block lists - as seen in the Admin Centre UI. This can be done via Mail transport rules API, but is only available via Power Shell module e.g. ExchangeOnlineManagement
XSOAR supports Powershell Core on Linux. The is a few Power shell docker images in Demisto/XSOAR Docker Hub (e.g.
demisto/powershell-ubuntu:7.0.3.12001). However non of these have the ExchangeOnlineManagement pre-installed. So a custom Docker image required.
Microsoft has a docket container registry and powershell image e.g. mcr.microsoft.com/powershell - however this also does not have the module installed (I just checked). So needs some docker customizations - or see workaround below.
So I think your options are:
1/ Manual task to have analyst login Exchange Online Admin centre and add the email/s manully.
2/ Run Custom Linux Docker for Powershell with the right modules loaded, and run a pre-tested script
3/ Run Windows Engine (with modules installed) and with custom automation to run your own powershell .ps scripts on engine.
3/ Use 'remote' SSH shell command use case to any windows to run dynamic BAT/Powershell scripts. Messing, but the benefit is service Authentication can be done in a way that Domain connected device is trusted and doesn't need to stor credentials to disk.
e script credentials.
My suggestion to try is:
1/ Create new docker based on powershell e.g.
/docker_image_create base=demisto/powershell-ubuntu:7.0.3.12001 name=new_powershell
demisto/powershell-ubuntu:7.0.3.12001
2/ In you Automation script - add 'Import-Module ExchangeOnlineManagement' at top of script. This will import module before running the rest of script. Also is invoked every time new docker in spawned (added only a couple seconds delay)
3/ The of the script is tricky. You should to build your power shell credentials object from a password variable from XSOAR Vault. You will also need to write script, or have an account, that does not use MFA. Microsoft has articles on this.
e.g.
Import-Module ExchangeOnlineManagement
$User = "Domain01\ServiceAccount01" or "srvacc01@home.com"
$password = <from XSOAR key vault>
$PWord = ConvertTo-SecureString -String "P@sSwOrd" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $PWord
Connect-ExchangeOnline -UserPrincipalName <name> -ShowProgress $false .... etc...
When selecting 'new' Automation and selecting Powershell (instead of default Python) - this will give you example on how to handle powershell object rendering to war room etc. Powershell $demisto namespace is the same as python I think e.g. like 'set' context etc.
Good luck!..
11-19-2020 09:59 AM
oops, someone just highlighted a typo in my suggestions:
To install module from script:
Install-Module -Name ExchangeOnlineManagement
11-19-2020 01:46 PM
We have it on our roadmap to release new integration in PowerShell that will allow to block senders globally.
It should be release by the end of this quarter.
11-20-2020 12:59 AM
Hello,
In relation with that I suppose that this new integration will work in a way of when I block a sender, it affects to all the company right?
KR.
11-20-2020 01:00 AM
Thank you very much for the response. I will try to test it and see if it works!
Kind Regards.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
