IBM Security QRadar SOAR

I have been looking for a way to delete emails from exchange.

Use Case:
ProofPoint TAP emails come in stating that it delivered a "bad" email. We need to delete said email using the sender, recipient, subject, timeframe, and/or messageid.

Results:
Connect to the Exchange/O365 instance and search the entire environment for the email in the recipients mailbox and delete the message to protect the organization/user.

I have been looking into the fn_exchange integration and was trying to figure out if that was what this tool was meant for or if this was only pulling messages from 1 mailbox per the settings of the user. I can do this with powershell scripts, but have yet to find a way to do it in Python (or at least I am not Googling right...) and was hoping that this answered my problems.

Thanks for the help in advance!

------------------------------
Nick Mumaw
------------------------------

I don't think it will open multiple mailboxes unless you do multiple searches. It will go recursively through the folders in the mailbox though.

If you want to search the entire environment are you planning on using the ecp and doing a search there?

Or were you planning on pulling all mailboxes and then searching them one by one? If you were going to do the second one you might be able to modify the workflows/functions to make it work for that type of searching.


------------------------------
Richard Giesige
------------------------------

Original Message:
Sent: Thu December 05, 2019 01:38 PM
From: Nick Mumaw
Subject: fn_exchange Integration Questions

I have been looking for a way to delete emails from exchange.

Use Case:
ProofPoint TAP emails come in stating that it delivered a "bad" email. We need to delete said email using the sender, recipient, subject, timeframe, and/or messageid.

Results:
Connect to the Exchange/O365 instance and search the entire environment for the email in the recipients mailbox and delete the message to protect the organization/user.

I have been looking into the fn_exchange integration and was trying to figure out if that was what this tool was meant for or if this was only pulling messages from 1 mailbox per the settings of the user. I can do this with powershell scripts, but have yet to find a way to do it in Python (or at least I am not Googling right...) and was hoping that this answered my problems.

Thanks for the help in advance!

------------------------------
Nick Mumaw
------------------------------

Hey Richard,

I was just trying to figure out if it could do the same thing as the powershell script that I had. It used the subject/sender/receiver/date to look up emails in the delivery table to determine where emails went, then opened the mailboxes to delete the emails from each mailbox.

Just got the exchange online so going to chase this again with the new function.

Thanks!

------------------------------
Nick Mumaw
------------------------------

Original Message:
Sent: Fri December 06, 2019 10:46 AM
From: Richard Giesige
Subject: fn_exchange Integration Questions

I don't think it will open multiple mailboxes unless you do multiple searches. It will go recursively through the folders in the mailbox though.

If you want to search the entire environment are you planning on using the ecp and doing a search there?

Or were you planning on pulling all mailboxes and then searching them one by one? If you were going to do the second one you might be able to modify the workflows/functions to make it work for that type of searching.


------------------------------
Richard Giesige

Original Message:
Sent: Thu December 05, 2019 01:38 PM
From: Nick Mumaw
Subject: fn_exchange Integration Questions

I have been looking for a way to delete emails from exchange.

Use Case:
ProofPoint TAP emails come in stating that it delivered a "bad" email. We need to delete said email using the sender, recipient, subject, timeframe, and/or messageid.

Results:
Connect to the Exchange/O365 instance and search the entire environment for the email in the recipients mailbox and delete the message to protect the organization/user.

I have been looking into the fn_exchange integration and was trying to figure out if that was what this tool was meant for or if this was only pulling messages from 1 mailbox per the settings of the user. I can do this with powershell scripts, but have yet to find a way to do it in Python (or at least I am not Googling right...) and was hoping that this answered my problems.

Thanks for the help in advance!

------------------------------
Nick Mumaw
------------------------------

The Exhange Online integration will let you search a single email address, a list of email addresse or the entire tenant
with query parameters receive/send date, message body text and subject text.  Results of the query will go to a data table
and you can manually delete them there from the table table.  You can also query and delete in "one shot" using the
Example: Exchange Online: Delete Messages from Query Results workflow.

AnnMarie

------------------------------
AnnMarie Norcross
------------------------------

Original Message:
Sent: Tue February 25, 2020 12:36 PM
From: Nick Mumaw
Subject: fn_exchange Integration Questions

Hey Richard,

I was just trying to figure out if it could do the same thing as the powershell script that I had. It used the subject/sender/receiver/date to look up emails in the delivery table to determine where emails went, then opened the mailboxes to delete the emails from each mailbox.

Just got the exchange online so going to chase this again with the new function.

Thanks!

------------------------------
Nick Mumaw

Original Message:
Sent: Fri December 06, 2019 10:46 AM
From: Richard Giesige
Subject: fn_exchange Integration Questions

I don't think it will open multiple mailboxes unless you do multiple searches. It will go recursively through the folders in the mailbox though.

If you want to search the entire environment are you planning on using the ecp and doing a search there?

Or were you planning on pulling all mailboxes and then searching them one by one? If you were going to do the second one you might be able to modify the workflows/functions to make it work for that type of searching.


------------------------------
Richard Giesige

Original Message:
Sent: Thu December 05, 2019 01:38 PM
From: Nick Mumaw
Subject: fn_exchange Integration Questions

I have been looking for a way to delete emails from exchange.

Use Case:
ProofPoint TAP emails come in stating that it delivered a "bad" email. We need to delete said email using the sender, recipient, subject, timeframe, and/or messageid.

Results:
Connect to the Exchange/O365 instance and search the entire environment for the email in the recipients mailbox and delete the message to protect the organization/user.

I have been looking into the fn_exchange integration and was trying to figure out if that was what this tool was meant for or if this was only pulling messages from 1 mailbox per the settings of the user. I can do this with powershell scripts, but have yet to find a way to do it in Python (or at least I am not Googling right...) and was hoping that this answered my problems.

Thanks for the help in advance!

------------------------------
Nick Mumaw
------------------------------

Thanks again AnnMarie!

I haven't started building this out yet, but this will help as I move to do this.

------------------------------
Nick Mumaw
------------------------------

Original Message:
Sent: Tue February 25, 2020 03:25 PM
From: AnnMarie Norcross
Subject: fn_exchange Integration Questions

The Exhange Online integration will let you search a single email address, a list of email addresse or the entire tenant
with query parameters receive/send date, message body text and subject text.  Results of the query will go to a data table
and you can manually delete them there from the table table.  You can also query and delete in "one shot" using the
Example: Exchange Online: Delete Messages from Query Results workflow.

AnnMarie

------------------------------
AnnMarie Norcross

Original Message:
Sent: Tue February 25, 2020 12:36 PM
From: Nick Mumaw
Subject: fn_exchange Integration Questions

Hey Richard,

I was just trying to figure out if it could do the same thing as the powershell script that I had. It used the subject/sender/receiver/date to look up emails in the delivery table to determine where emails went, then opened the mailboxes to delete the emails from each mailbox.

Just got the exchange online so going to chase this again with the new function.

Thanks!

------------------------------
Nick Mumaw

Original Message:
Sent: Fri December 06, 2019 10:46 AM
From: Richard Giesige
Subject: fn_exchange Integration Questions

I don't think it will open multiple mailboxes unless you do multiple searches. It will go recursively through the folders in the mailbox though.

If you want to search the entire environment are you planning on using the ecp and doing a search there?

Or were you planning on pulling all mailboxes and then searching them one by one? If you were going to do the second one you might be able to modify the workflows/functions to make it work for that type of searching.


------------------------------
Richard Giesige

Original Message:
Sent: Thu December 05, 2019 01:38 PM
From: Nick Mumaw
Subject: fn_exchange Integration Questions

I have been looking for a way to delete emails from exchange.

Use Case:
ProofPoint TAP emails come in stating that it delivered a "bad" email. We need to delete said email using the sender, recipient, subject, timeframe, and/or messageid.

Results:
Connect to the Exchange/O365 instance and search the entire environment for the email in the recipients mailbox and delete the message to protect the organization/user.

I have been looking into the fn_exchange integration and was trying to figure out if that was what this tool was meant for or if this was only pulling messages from 1 mailbox per the settings of the user. I can do this with powershell scripts, but have yet to find a way to do it in Python (or at least I am not Googling right...) and was hoping that this answered my problems.

Thanks for the help in advance!

------------------------------
Nick Mumaw
------------------------------