This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

XSOAR File Issue

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

XSOAR File Issue

Syedhkt
L2 Linker

‎07-23-2024 09:49 PM - edited ‎07-23-2024 09:50 PM

Hi All,

I tried to send an attachment using the attachment ID in Exchange Web Services (EWS) for Office 365, and I was also able to see the entry ID of the file in context object. However, the structure of the entry ID is different from the standard format. I created a ZIP file from a text file and uploaded it to the context, but I'm facing an issue. Do you have any suggestions or solutions to help me with this? Please check attached pictures

 

Cortex XSOAR 

Cortex XSOAR
Thumbnail of Cortex XSOAR
Palo Alto Networks
Cortex XSOAR
Security Operations
View on Product Page
Preview file
16 KB
0 Likes Likes
1 REPLY 1

cmcneil
L2 Linker

‎08-15-2024 03:44 PM

We do something similar with our phishing playbook when an email is legitimate or known good.
The attachment we send back is the one which was received in the original incident. We use the incident EntryID which looks like "4@ 12345" as shown in this screenshot.

Attachment IDs 2.png

Then, in our send-mail command, using EWSO365, we reference the EntryID as the attachID. See screenshot below for details. Redacted items are not relevant to the issue at hand.

Attachment IDs 1.png

As noted in the reference docs for the EWS O365 integration, the attachID in the send-mail command must reference a war room entry, not the Exchange attachment-ids. (https://xsoar.pan.dev/docs/reference/integrations/ewso365#19-send-an-email)


To first get the attachment, if it's not already part of your incident, you would need to run the "ews-get-attachment" command with attachment-ids you referenced in your post, then use the EntryID from that command as an input in your send-mail command. (https://xsoar.pan.dev/docs/reference/integrations/ewso365#1-get-the-attachments-of-an-item)

 

Hope that helps!

0 Likes Likes
  • 329 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks