- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-23-2024 09:49 PM - edited 07-23-2024 09:50 PM
Hi All,
I tried to send an attachment using the attachment ID in Exchange Web Services (EWS) for Office 365, and I was also able to see the entry ID of the file in context object. However, the structure of the entry ID is different from the standard format. I created a ZIP file from a text file and uploaded it to the context, but I'm facing an issue. Do you have any suggestions or solutions to help me with this? Please check attached pictures
08-15-2024 03:44 PM
We do something similar with our phishing playbook when an email is legitimate or known good.
The attachment we send back is the one which was received in the original incident. We use the incident EntryID which looks like "4@ 12345" as shown in this screenshot.
Then, in our send-mail command, using EWSO365, we reference the EntryID as the attachID. See screenshot below for details. Redacted items are not relevant to the issue at hand.
As noted in the reference docs for the EWS O365 integration, the attachID in the send-mail command must reference a war room entry, not the Exchange attachment-ids. (https://xsoar.pan.dev/docs/reference/integrations/ewso365#19-send-an-email)
To first get the attachment, if it's not already part of your incident, you would need to run the "ews-get-attachment" command with attachment-ids you referenced in your post, then use the EntryID from that command as an input in your send-mail command. (https://xsoar.pan.dev/docs/reference/integrations/ewso365#1-get-the-attachments-of-an-item)
Hope that helps!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!