When analyzing a phishing case, I would like to block a sender for all the company. I've read in the Microsoft doc and they say you can do it by creating a blacklist. I've not been able to find it in XSOAR.
Is there a way of doing that?
Hello thanks for the response.
Yes I've seen the 0365 doc (https://docs.microsoft.com/en-US/microsoft-365/security/office-365-security/create-block-sender-list...) and I've seen that is possible to do, but I don't know if there is something already coded in XSOAR or should I duplicate the integration and figure out how to do this part, seems kind of tricky.
Looking on the EWS v2 integration, I do not see the option to create or modify a blacklist.
You can file in a feature request at https://xsoar.ideas.aha.io/ so our engineering team can see if this can be added.
My understanding (unless changed recently) is the Microsoft Web based API still does not support updating the global O365 email sender block lists - as seen in the Admin Centre UI. This can be done via Mail transport rules API, but is only available via Power Shell module e.g. ExchangeOnlineManagement
XSOAR supports Powershell Core on Linux. The is a few Power shell docker images in Demisto/XSOAR Docker Hub (e.g.
demisto/powershell-ubuntu:220.127.116.1101). However non of these have the ExchangeOnlineManagement pre-installed. So a custom Docker image required.
Microsoft has a docket container registry and powershell image e.g. mcr.microsoft.com/powershell - however this also does not have the module installed (I just checked). So needs some docker customizations - or see workaround below.
So I think your options are:
1/ Manual task to have analyst login Exchange Online Admin centre and add the email/s manully.
2/ Run Custom Linux Docker for Powershell with the right modules loaded, and run a pre-tested script
3/ Run Windows Engine (with modules installed) and with custom automation to run your own powershell .ps scripts on engine.
3/ Use 'remote' SSH shell command use case to any windows to run dynamic BAT/Powershell scripts. Messing, but the benefit is service Authentication can be done in a way that Domain connected device is trusted and doesn't need to stor credentials to disk.
e script credentials.
My suggestion to try is:
1/ Create new docker based on powershell e.g.
/docker_image_create base=demisto/powershell-ubuntu:18.104.22.16801 name=new_powershell
2/ In you Automation script - add 'Import-Module ExchangeOnlineManagement' at top of script. This will import module before running the rest of script. Also is invoked every time new docker in spawned (added only a couple seconds delay)
3/ The of the script is tricky. You should to build your power shell credentials object from a password variable from XSOAR Vault. You will also need to write script, or have an account, that does not use MFA. Microsoft has articles on this.
$User = "Domain01\ServiceAccount01" or "email@example.com"
$password = <from XSOAR key vault>
$PWord = ConvertTo-SecureString -String "P@sSwOrd" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, $PWord
Connect-ExchangeOnline -UserPrincipalName <name> -ShowProgress $false .... etc...
When selecting 'new' Automation and selecting Powershell (instead of default Python) - this will give you example on how to handle powershell object rendering to war room etc. Powershell $demisto namespace is the same as python I think e.g. like 'set' context etc.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!