XSOAR blacklisting O365 senders

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

XSOAR blacklisting O365 senders

L1 Bithead

Hello guys,

 

When analyzing a phishing case, I would like to block a sender for all the company. I've read in the Microsoft doc and they say you can do it by creating a blacklist. I've not been able to find it in XSOAR.

 

Is there a way of doing that?

 

Kind Regards.

1 accepted solution

Accepted Solutions

L2 Linker

Hi Sergio,

 

My understanding (unless changed recently) is the Microsoft Web based API still does not support updating the global O365 email sender block lists - as seen in the Admin Centre UI.  This can be done via Mail transport rules API, but is only available via Power Shell module e.g.  ExchangeOnlineManagement

 

XSOAR supports Powershell Core on Linux. The is a few Power shell docker images in Demisto/XSOAR Docker Hub (e.g. 

demisto/powershell-ubuntu:7.0.3.12001). However non of these have the ExchangeOnlineManagement pre-installed. So a custom Docker image required. 

 

Microsoft has a docket container registry and powershell image e.g. mcr.microsoft.com/powershell - however this also does not have the module installed (I just checked). So needs some docker customizations - or see workaround below.

 

So I think your options are:

1/ Manual task to have analyst login Exchange Online Admin centre and add the email/s manully.

2/ Run Custom Linux Docker for Powershell with the right modules loaded, and run a pre-tested script

3/ Run Windows Engine (with modules installed) and with custom automation to run your own powershell .ps scripts on engine.

3/ Use 'remote' SSH shell command use case to any windows to run dynamic BAT/Powershell scripts. Messing, but the benefit is service Authentication can be done in a way that Domain connected device is trusted and doesn't need to stor credentials to disk.

e script credentials.

 

My suggestion to try is:

 

1/ Create new docker based on powershell e.g.

  /docker_image_create base=demisto/powershell-ubuntu:7.0.3.12001 name=new_powershell

demisto/powershell-ubuntu:7.0.3.12001

2/ In you Automation script - add 'Import-Module ExchangeOnlineManagement' at top of script. This will import module before running the rest of script. Also is invoked every time new docker in spawned (added only a couple seconds delay)

3/ The of the script is tricky. You should to build your power shell credentials object from a password variable from XSOAR Vault. You will also need to write script, or have an account, that does not use MFA. Microsoft has articles on this. 

 

e.g.

Import-Module ExchangeOnlineManagement

$User = "Domain01\ServiceAccount01" or "srvacc01@home.com" 

$password = <from XSOAR key vault>

$PWord = ConvertTo-SecureString -String "P@sSwOrd" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $PWord

Connect-ExchangeOnline -UserPrincipalName <name> -ShowProgress $false .... etc...

 

When selecting 'new' Automation and selecting Powershell (instead of default Python) - this will give you example on how to handle powershell object rendering to war room etc. Powershell $demisto namespace is the same as python I think e.g. like 'set' context etc.

 

Good luck!..

View solution in original post

9 REPLIES 9

L1 Bithead

Hello Sergio

 

Are you are referring to the EWS O365 integration?

Does the doc you are referring to provide the API call in order to create the blacklist?

 

Best regards

Hello thanks for the response.

 

Yes I've seen the 0365 doc (https://docs.microsoft.com/en-US/microsoft-365/security/office-365-security/create-block-sender-list...) and I've seen that is possible to do, but I don't know if there is something already coded in XSOAR or should I duplicate the integration and figure out how to do this part, seems kind of tricky.

 

KR

Looking on the EWS v2 integration, I do not see the option to create or modify a blacklist.

You can file in a feature request at https://xsoar.ideas.aha.io/  so our engineering team can see if this can be added. 

 

Gilad

Shriki

L2 Linker

Hi Sergio,

 

My understanding (unless changed recently) is the Microsoft Web based API still does not support updating the global O365 email sender block lists - as seen in the Admin Centre UI.  This can be done via Mail transport rules API, but is only available via Power Shell module e.g.  ExchangeOnlineManagement

 

XSOAR supports Powershell Core on Linux. The is a few Power shell docker images in Demisto/XSOAR Docker Hub (e.g. 

demisto/powershell-ubuntu:7.0.3.12001). However non of these have the ExchangeOnlineManagement pre-installed. So a custom Docker image required. 

 

Microsoft has a docket container registry and powershell image e.g. mcr.microsoft.com/powershell - however this also does not have the module installed (I just checked). So needs some docker customizations - or see workaround below.

 

So I think your options are:

1/ Manual task to have analyst login Exchange Online Admin centre and add the email/s manully.

2/ Run Custom Linux Docker for Powershell with the right modules loaded, and run a pre-tested script

3/ Run Windows Engine (with modules installed) and with custom automation to run your own powershell .ps scripts on engine.

3/ Use 'remote' SSH shell command use case to any windows to run dynamic BAT/Powershell scripts. Messing, but the benefit is service Authentication can be done in a way that Domain connected device is trusted and doesn't need to stor credentials to disk.

e script credentials.

 

My suggestion to try is:

 

1/ Create new docker based on powershell e.g.

  /docker_image_create base=demisto/powershell-ubuntu:7.0.3.12001 name=new_powershell

demisto/powershell-ubuntu:7.0.3.12001

2/ In you Automation script - add 'Import-Module ExchangeOnlineManagement' at top of script. This will import module before running the rest of script. Also is invoked every time new docker in spawned (added only a couple seconds delay)

3/ The of the script is tricky. You should to build your power shell credentials object from a password variable from XSOAR Vault. You will also need to write script, or have an account, that does not use MFA. Microsoft has articles on this. 

 

e.g.

Import-Module ExchangeOnlineManagement

$User = "Domain01\ServiceAccount01" or "srvacc01@home.com" 

$password = <from XSOAR key vault>

$PWord = ConvertTo-SecureString -String "P@sSwOrd" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $PWord

Connect-ExchangeOnline -UserPrincipalName <name> -ShowProgress $false .... etc...

 

When selecting 'new' Automation and selecting Powershell (instead of default Python) - this will give you example on how to handle powershell object rendering to war room etc. Powershell $demisto namespace is the same as python I think e.g. like 'set' context etc.

 

Good luck!..

L2 Linker

oops, someone just highlighted a typo in my suggestions:

 

To install module from script:

Install-Module -Name ExchangeOnlineManagement

L2 Linker

We have it on our roadmap to release new integration in PowerShell that will allow to block senders globally.
It should be release by the end of this quarter.

Hello,

 

In relation with that I suppose that this new integration will work in a way of when I block a sender, it affects to all the company right?

 

KR.

Thank you very much for the response. I will try to test it and see if it works!

 

Kind Regards.

correct

  • 1 accepted solution
  • 6673 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!