IBM Security SOAR

Expand all | Collapse all

Exchange Online Integration - Moving Emails

  • 1.  Exchange Online Integration - Moving Emails

    Posted Tue September 14, 2021 08:50 AM
    Hello,

    The move email functionality of the Exchange Online app allows to move emails in a specific mailbox to a specified "Well-known" folder (e.g. junk folder, deleted items).


    For our phishing mailbox we would like to be able to move the emails to a custom subfolder (e.g. True Positive or False Positive).
    We tried to put the ID of a subfolder as the value of the "exo_destination_mailfolder_id" field. Unfortunately, that failed.

    Does anyone have an idea how to extend this functionality to be able to also move emails to custom subfolders?

    Thanks.

    Stef



    ------------------------------
    Stef Bisschop
    ------------------------------



  • 2.  RE: Exchange Online Integration - Moving Emails

    Posted Wed September 15, 2021 02:49 PM
    Hi Stef,

    Moving a message to a custom named (not Well-known) subfolder is not currently supported.  You can submit a RFE and will will consider it for a future release.

    The move-to folder was limited to the well-known folders to make the integration UI simpler by allowing the using to select from a list in the rule activity field.

    On inspecting the code that makes the MS Graph API call to move the message to a folder (from the IBM public github):

    https://github.com/ibmresilient/resilient-community-apps/blob/master/fn_exchange_online/fn_exchange_online/lib/ms_graph_helper.py

        def move_message(self, email_address, mail_folder, message_id, dest_folder):
            """
            Call MS Graph to move message.
            :param email_address: email address of the user's mailbox from which to delete the message
            :param message_id: message id of the message to be deleted
            :param mail_folder: mailFolder id of the folder containing the message to be deleted
            :return: requests response from the /users/ endpoint which is the list of all users.
            """
            mail_folder_string = self.build_folder_string(mail_folder)
    
            ms_graph_users_url = u'{0}/users/{1}{2}/messages/{3}/move'.format(self.ms_graph_url, email_address,
                                                                              mail_folder_string, message_id)
    
            response = self.ms_graph_session.post(ms_graph_users_url,
                                                  headers={'Content-Type': 'application/json'},
                                                  json={'destinationId': dest_folder['name']})
    
            self.check_ms_graph_response_code(response.status_code)
    
            return response​
    dest_folder['name'] in the above code is the name of the folder to move the message to.  In the current integration exo_destination_mailfolder_id is a choice of a "select" field filled with the well-known folder names.

    The documentation for the MS Graph API call used move a message to a folder is here.

    destinationId String The destination folder ID, or a well-known folder name. For a list of supported well-known folder names, see mailFolder resource type.
    Instead of providing a well-known folder name you may have to get the destination folder ID by listing the folders for the user
    https://docs.microsoft.com/en-us/graph/api/user-list-mailfolders?view=graph-rest-1.0&tabs=http
    and getting the "id" of the custom folder and passing it in the
    json={'destinationId': id}​


    Hope that helps!

    AnnMarie


    ------------------------------
    AnnMarie Norcross
    ------------------------------