IBM Security QRadar SOAR

 View Only
  • 1.  O365 integration - query not returning expecting output

    Posted Thu April 14, 2022 03:53 PM
      |   view attached
    I am testing the 'Exchange Online: Query Messages' function (fn_exchange_online package version 1.3.0) and the query that is returned has section 'content' as seen in the attached file ('sample_o365_content_output.png'). However, per the documentation, the 'content' field should also contain body, flag, email importance, etc.

    Has anyone encountered this?




    ------------------------------
    Mark Aksen
    ------------------------------


  • 2.  RE: O365 integration - query not returning expecting output

    Posted Tue April 19, 2022 02:44 PM
    Hi Mark

    I did some changes to the EXO app for 1.3.0 to improve performance when doing queries that return a large amount of data. Part of that work was limiting the amount of data coming for each message.  I think I did not update the output json in the user guide when I did that work.

    This line was added to the query function at line 688 in ms_graph_helper.py

            # Append to the request url just the json fields we view in the data table.
            ms_graph_query_url = u"{0}&$select=id,subject,sender,hasAttachments,receivedDateTime,webLink".format(ms_graph_query_url)​

    So only those fields that show in the data table are returned using the "select=" command.
    You could modify this code to return the body of the email if you wanted it.

    Thanks for letting me know about the documentation discrepancy.  We will regenerate the doc for the next release and include the newly required payload_samples directory also.

    AnnMarie



    ------------------------------
    AnnMarie Norcross
    ------------------------------



  • 3.  RE: O365 integration - query not returning expecting output

    Posted Tue April 19, 2022 04:57 PM
    Hi Ann Marie,

    How would we modify the code to include the email body (as well as all other available fields) in the output? 
    We tried editing line 688 - by specifying "select=*" or by commenting out this line entirely, and our output is identical to previous one. 

    Thanks for your help,
    Mark

    ------------------------------
    Mark Aksen
    ------------------------------



  • 4.  RE: O365 integration - query not returning expecting output

    Posted Wed April 20, 2022 10:41 AM
    Hi Mark

    You should be able to add the json fields of a MS Graph mail message to the $select parameter.  I believe the body field is "body".  So the code to include the body would be

     ms_graph_query_url = u"{0}&$select=body,id,subject,sender,hasAttachments,receivedDateTime,webLink".format(ms_graph_query_url)​

    You can use the MS Graph Explorer to view a sample mail message here: https://developer.microsoft.com/en-us/graph/graph-explorer
    Click on "GET my mail" on the left and a sample mail message will show in the area on the right.

    I see there is also a "bodyPreview" field.

    The $select parameter is documented here: https://docs.microsoft.com/en-us/graph/query-parameters

    Hope this helps!

    ------------------------------
    AnnMarie Norcross
    ------------------------------



  • 5.  RE: O365 integration - query not returning expecting output

    Posted Wed April 20, 2022 11:50 AM
    Hi AnnMarie, 

    I used "select=*" in the MS Graph Explorer and was returning all of the fields I was expecting, including body and bodyPreview. 
    However, when I edit ms_graph_helper.py to "select=*" in line 688 (as well as on line 498 (tried with just editing line 688 as well)), I am getting same output as previously, i.e. not seeing body, bodyPreview or the other fields. 

    Are there perhaps other scripts besides ms_graph_helper.py that need to be revised to return all of these fields?

    ------------------------------
    Mark Aksen
    ------------------------------



  • 6.  RE: O365 integration - query not returning expecting output

    Posted Wed April 20, 2022 12:28 PM
    Alternatively the issue may be related to how the apps are packaged in Resilient, namely the app is pointing to the public quay.io repository.
    Do we need to rebuild the Docker image and repackage the app in a private repository?

    ------------------------------
    Mark Aksen
    ------------------------------



  • 7.  RE: O365 integration - query not returning expecting output

    Posted Wed April 20, 2022 02:01 PM
    Hi Mark,

    Since you were talking about modifying the code yourself I was assuming you were editing and running as an integration server.

    If you are running on app host then yes, if you are making changes to the code you'd have to rebuild and repackage in a private repository.

    Can you run a query and then write the body of the email to a note off the data table using the rule/workflow provided?

    AnnMarie


    ------------------------------
    AnnMarie Norcross
    ------------------------------