XSOAR File Issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

XSOAR File Issue

L2 Linker

Hi All,

I tried to send an attachment using the attachment ID in Exchange Web Services (EWS) for Office 365, and I was also able to see the entry ID of the file in context object. However, the structure of the entry ID is different from the standard format. I created a ZIP file from a text file and uploaded it to the context, but I'm facing an issue. Do you have any suggestions or solutions to help me with this? Please check attached pictures

 

Cortex XSOAR 

1 REPLY 1

L2 Linker

We do something similar with our phishing playbook when an email is legitimate or known good.
The attachment we send back is the one which was received in the original incident. We use the incident EntryID which looks like "4@ 12345" as shown in this screenshot.

Attachment IDs 2.png

Then, in our send-mail command, using EWSO365, we reference the EntryID as the attachID. See screenshot below for details. Redacted items are not relevant to the issue at hand.

Attachment IDs 1.png

As noted in the reference docs for the EWS O365 integration, the attachID in the send-mail command must reference a war room entry, not the Exchange attachment-ids. (https://xsoar.pan.dev/docs/reference/integrations/ewso365#19-send-an-email)


To first get the attachment, if it's not already part of your incident, you would need to run the "ews-get-attachment" command with attachment-ids you referenced in your post, then use the EntryID from that command as an input in your send-mail command. (https://xsoar.pan.dev/docs/reference/integrations/ewso365#1-get-the-attachments-of-an-item)

 

Hope that helps!

  • 499 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!