IBM Security QRadar SOAR

 View Only
  • 1.  Exchange Online Integration - Moving Emails

    Posted Tue September 14, 2021 08:50 AM
    Hello,

    The move email functionality of the Exchange Online app allows to move emails in a specific mailbox to a specified "Well-known" folder (e.g. junk folder, deleted items).


    For our phishing mailbox we would like to be able to move the emails to a custom subfolder (e.g. True Positive or False Positive).
    We tried to put the ID of a subfolder as the value of the "exo_destination_mailfolder_id" field. Unfortunately, that failed.

    Does anyone have an idea how to extend this functionality to be able to also move emails to custom subfolders?

    Thanks.

    Stef



    ------------------------------
    Stef Bisschop
    ------------------------------



  • 2.  RE: Exchange Online Integration - Moving Emails

    Posted Wed September 15, 2021 02:49 PM
    Hi Stef,

    Moving a message to a custom named (not Well-known) subfolder is not currently supported.  You can submit a RFE and will will consider it for a future release.

    The move-to folder was limited to the well-known folders to make the integration UI simpler by allowing the using to select from a list in the rule activity field.

    On inspecting the code that makes the MS Graph API call to move the message to a folder (from the IBM public github):

    https://github.com/ibmresilient/resilient-community-apps/blob/master/fn_exchange_online/fn_exchange_online/lib/ms_graph_helper.py

        def move_message(self, email_address, mail_folder, message_id, dest_folder):
            """
            Call MS Graph to move message.
            :param email_address: email address of the user's mailbox from which to delete the message
            :param message_id: message id of the message to be deleted
            :param mail_folder: mailFolder id of the folder containing the message to be deleted
            :return: requests response from the /users/ endpoint which is the list of all users.
            """
            mail_folder_string = self.build_folder_string(mail_folder)
    
            ms_graph_users_url = u'{0}/users/{1}{2}/messages/{3}/move'.format(self.ms_graph_url, email_address,
                                                                              mail_folder_string, message_id)
    
            response = self.ms_graph_session.post(ms_graph_users_url,
                                                  headers={'Content-Type': 'application/json'},
                                                  json={'destinationId': dest_folder['name']})
    
            self.check_ms_graph_response_code(response.status_code)
    
            return response​
    dest_folder['name'] in the above code is the name of the folder to move the message to.  In the current integration exo_destination_mailfolder_id is a choice of a "select" field filled with the well-known folder names.

    The documentation for the MS Graph API call used move a message to a folder is here.

    destinationId String The destination folder ID, or a well-known folder name. For a list of supported well-known folder names, see mailFolder resource type.
    Instead of providing a well-known folder name you may have to get the destination folder ID by listing the folders for the user
    https://docs.microsoft.com/en-us/graph/api/user-list-mailfolders?view=graph-rest-1.0&tabs=http
    and getting the "id" of the custom folder and passing it in the
    json={'destinationId': id}​


    Hope that helps!

    AnnMarie


    ------------------------------
    AnnMarie Norcross
    ------------------------------



  • 3.  RE: Exchange Online Integration - Moving Emails

    Posted Thu August 31, 2023 10:19 AM

    Hi team,

    Our current IBM QRadar version is 47.2.45, and the version of our Microsoft Exchange Online Integration for SOAR (fn_exchange_online) package is 1.3.0. Until about a month ago, our "Exchange Online Move Message to Folder" function was working fine. However, in the current state, we're encountering an error suggesting that the destination folder ID should be an integer, as shown below. It's important to note that this function is a default function, and no customization has been made to the input (exo_destination_mailfolder_id) that is causing the error. We can't see any error logs in applogs.

    Has anyone else encountered a similar situation? Or do you have any suggestions for a solution? I'm sharing the error screenshot, function details, and the readme document.

    I'd appreciate any insights or recommendations on how to address this issue. Thank you in advance for your help.

    Best regards,





    ------------------------------
    Betul
    ------------------------------