Exchange

This document provides guidance on how to integrate Exchange with Google Security Operations SOAR.

Integration version: 102.0

This integration uses one or more open source components. You can download a zipped copy of the full source code of this integration from the Cloud Storage bucket .

Configure Exchange Online

The prerequisites and configuration steps differ depending on whether you configure the integration for the Exchange Online or Exchange Server.

• To configure Exchange Online, proceed to the following section.

• To configure Exchange Server, see Configure Exchange Server .

The integration for Exchange Online only supports OAuth delegated authentication with delegated tokens which requires additional configuration.

Changes made to permissions in the Azure environment can take up to 24 hours to take effect.

Before integrating Exchange Online with Google SecOps, complete the following steps:

1. Set up OAuth delegated authentication .
2. Create Microsoft Entra application .
3. Configure API permissions for the application .
4. Create a client secret .

Set up OAuth delegated authentication

1. Verify that Exchange Online is accessible from the Google SecOps server and meets the following requirements:

   • Exchange Online DNS name is resolving.

   • The integration uses the Exchange Web Services (EWS) hosted on port 443. Make sure that EWS is enabled and hosted on a port accessible to the Google SecOps server.

   If Exchange Online is not accessible from the Google SecOps server, consider using a Google SecOps remote agent.

2. Provide the integration with a valid username (user email account). Choose a user to use in the integration. To impersonate the user, create a Microsoft Entra application .

3. Assign a Microsoft 365 license to the user (mailbox), such as the Microsoft 365 E5 license.

4. For actions that use delegated or impersonated permissions, complete the following steps:

   1. To allow the integration to access multiple Exchange Online mailboxes, use the role based access control for applications in Exchange Online .

   2. To access other mailboxes, assign the following Exchange roles to the user (mailbox) configured for the integration:

   • Discovery Management role group in the Microsoft product documentation.

   • ApplicationImpersonation role in the Microsoft product documentation.

   • Compliance Management role in the Microsoft product documentation.

   • Organization Management role in the Microsoft product documentation.

Create Microsoft Entra application

To create an application and impersonate the chosen user, follow these steps:

1. Sign in to the Azure portal as a user administrator or a password administrator.

2. Select Microsoft Entra ID.

3. Go to App registrations > New registration.

4. Enter the name of the app.

5. Select suitable Supported account types.

6. For the Redirect URIprovide the following values:

   • Platform: Web

   • Redirect URL: http://localhost

7. Click Register.

8. Save the Application (client) IDand Directory (tenant) IDvalues for later use when you configure the integration.

Configure API permissions

To configure the API permissions for your application, follow these steps:

1. Go to API permissions > Add a permission.

2. Select Microsoft Graph > Delegated permissions.

3. In the Select permissionssections, select EWS.

4. Select the Ews.AccessAsUser.All permission.

5. Click Add permissions.

6. Click Grant admin consent for YOUR_ORGANIZATION_NAME .

   When the Grant admin consent confirmationdialog appears, click Yes.

Create a client secret

1. Navigate to Certificates and secrets > New client secret.

2. Provide a description for a client secret and set its expiration deadline.

3. Click Add.

4. Save the value of the client secret (not the secret ID) to use it as the Client Secret parameter value when you configure the integration . The client secret value is only displayed once.

Use the created Microsoft Entra application to generate a refresh token that is required for configuring the integration in the Google SecOps platform.

Assign the ApplicationImpersonation role

To assign the ApplicationImpersonation role, complete the following steps:

1. In Exchange , go to Roles > Admin Roles > Discovery Management > Permissions.
2. On the Permissionspage, confirm that the ApplicationImpersonation role is selected.
3. Select the Assignedtab.
4. In the Assignedtab, add the user that you configured for the Exchange integration.
5. Click Save.

The settings can take up to 24 hours to take effect.

Integrate Exchange Online with Google SecOps

For instructions about how to install and configure the integration on Google SecOps, see Configure Integrations .

Integrating Exchange Online with the Google SecOps platform requires you to complete the following steps in Google SecOps:

1. Configure the initial parameters and save them.

2. Generate a refresh token:

   • Simulate a case in Google SecOps.

   • Run the Get Authorizationaction.

   • Run the Generate Tokenaction.

3. Input the obtained refresh token as the Refresh Token parameter value and save the configuration.

Configure initial parameters

The Exchange Online integration requires the following initial parameters:

After you have configured the parameters, click Save.

Generate a refresh token

Generating a refresh token requires you to run manual actions on an existing case. If your Google SecOps instance is new and has no existing cases, simulate one.

Simulate a case

To simulate a case in Google SecOps, follow these steps:

1. In the left navigation, select Cases.

2. On the Cases page, click add > Simulate Cases.

3. Select any of the default cases and click Create. It doesn't matter what case you choose to simulate.

4. Click Simulate.

   If you have an environment other than default and would like to use it, select the correct environment and click Simulate.

5. In the Casestab, click Refresh. The case you have simulated appears in the case list.

Run the Get Authorization action

Use the Google SecOps case which you simulated to run the Get Authorization action manually.

1. In the Casestab, select your simulated case to open a Case View.

2. Click Manual Action.

3. In the Manual Action Searchfield, enter Exchange .

4. In the results under the Exchange integration, select Get Authorization. This action returns an authorization link that is used to interactively sign in to the Microsoft Entra app.

5. Click Execute.

6. After the action is executed, navigate to the Case Wall of your simulated case. In the Exchange_Get Authorizationaction record, click View More. Copy the authorization link.

7. Open a new browser window in incognito mode and paste the generated authorization URL. The Azure sign-in page opens.

8. Sign in with the user credentials you selected for the integration. After signing in, your browser redirects you to an address with a code in the address bar.

   It is expected for the browser to display an error as the app redirects you to http://localhost .

9. Copy the whole URL with the access code from the address bar.

Run the Generate Token action

Use the Google SecOps case you've simulated to run the Generate Token action manually.

1. In the Casestab, select your simulated case to open a Case View.

2. Click Manual Action.

3. In the Manual Action Searchfield, enter Exchange .

4. In the results under the Exchange integration, select Generate Token.

5. In the Authorization URL field, paste the whole URL with the access code copied after running the Get Authenticationaction.

6. Click Execute.

7. After the action is executed, navigate to the Case Wall of your simulated case. In the Exchange_Generate Tokenaction record, click View More.

8. Copy the entire value of the generated refresh token.

Configure the Refresh Token parameter

1. Navigate to the configuration dialog for the Exchange integration.

2. Enter the refresh token value that you obtained when running the Generate Tokenaction into the Refresh Tokenfield.

3. Click Save.

4. Click Testto test if the configuration is correct and the integration works as expected.

You can make changes at a later stage if needed. Once configured, the instances can be used in playbooks. For detailed information on configuring and supporting multiple instances, see Supporting multiple instances .

Configure Exchange Server

Before integrating Exchange Server with Google SecOps, set up the basic authentication for Exchange Server.

To authenticate with the Exchange Server, use a username and a password.

Set up basic authentication

To set up the basic authentication, complete the following steps:

1. Verify that the Exchange Server (one of the servers in the cluster) is accessible from the Google SecOps server and meets the following requirements:

   • The Exchange Server DNS name is resolving.

   • The Exchange Server IP address is accessible.

   • Exchange Web Services (EWS) is enabled and hosted on a port accessible to the Google SecOps server.

   If the Exchange Server is not accessible from the Google SecOps SOAR server, consider using a Google SecOps remote agent.

2. Provide the integration with a username (user email account) and a password. Choose the user for the integration.

3. For actions that use delegated or impersonated permissions, complete the following steps:

   1. Grant a delegated or impersonated access to the required mailboxes to an email account that you use in the integration.

      We recommend you to configure access with impersonated permissions. For more information, see Impersonation and EWS in Exchange in Microsoft product documentation.

   2. To access other mailboxes, assign the following Exchange roles to the user (mailbox) configured for the integration:

      • Discovery Management role group in Microsoft product documentation.

      • ApplicationImpersonation role in Microsoft product documentation.

      • Compliance Management role in Microsoft product documentation.

      • Organization Management role in Microsoft product documentation.

Integrate Exchange Server with Google SecOps

For instructions about how to install and configure the integration on Google SecOps, see Configure integrations .

Integration inputs

The Exchange Server integration requires the following parameters:

Actions

The actions listed in this section fall under two categories:

1. The common Exchange integration actions.

2. Actions that are specific to the Exchange Block Sender and Domain functionality .

Required permissions

For the minimal permissions that are required to run common actions, refer to the following table:

For the minimal permissions required to run actions from the Block Sender and Domain functionality , refer to the following table:

Delete Mail

Use the Delete Mailaction to delete one or multiple emails that match the search criteria from a mailbox.

Deleting emails can apply to the first email that matches the search criteria or all matching emails.

For the permissions required to run this action, refer to the action permissions section of this document.

If the user is offline, the action may not delete the message from their Outlook client until the user reconnects and synchronizes their mailbox.

This action doesn't run on Google SecOps entities.

Action inputs

The Delete Mailaction requires the following parameters:

Action outputs

The Delete Mailaction provides the following outputs:

Output messages

The Delete Mailaction can return the following output messages:

Script result

The following table lists the value for the script result output when using the Delete Mailaction:

Download Attachments

Use the Download Attachmentsaction to download email attachments from an email to a specific path on the Google SecOps server. The action automatically replaces the backslash or space characters in the names of downloaded attachments with the underscore character.

This action doesn't run on Google SecOps entities.

Action inputs

The Download Attachmentsaction requires the following parameters:

Action outputs

The Download Attachmentsaction provides the following outputs:

JSON result

The following example shows the JSON result output received when using the Download Attachmentsaction:

  [ 
  
 { 
  
 "attachment_name" 
 : 
  
 " ATTACHMENT_NAME 
" 
 , 
  
 "downloaded_path" 
 : 
  
 "  reado 
 nl 
 y 
 " translate=" 
 n 
 o 
 ">FULL_PATH" 
  
 }, 
  
 { 
  
 "attachment_name" 
 : 
  
 " ATTACHMENT_NAME 
" 
 , 
  
 "downloaded_path" 
 : 
  
 "  reado 
 nl 
 y 
 " translate=" 
 n 
 o 
 ">FULL_PATH" 
  
 } 
 ] 
 
 
 
 
 

Output messages

The Download Attachmentsaction can return the following output messages:

Script result

The following table lists the value for the script result output when using the Download Attachmentsaction:

Extract EML Data

Use the Extract EML Dataaction to extract data from the email EML attachments.

This action runs on all Google SecOps entities.

Action inputs

The Extract EML Dataaction requires the following parameters:

Action outputs

The Extract EML Dataaction provides the following outputs:

JSON result

The following example shows the JSON result output received when using the Extract EML Dataaction:

  [ 
  
 { 
  
 "count" 
 : 
  
 3 
 , 
  
 "files" 
 : 
  
 { 
  
 "mxtoolbox_test_case.case" 
 : 
  
 "090a131a0726dea8f5b0c2205ffc9527" 
  
 }, 
  
 "from" 
 : 
  
 "Exam <user1@example.com>" 
 , 
  
 "text" 
 : 
  
 "hello eml test" 
 , 
  
 "regex" 
 : 
  
 { 
  
 }, 
  
 "to" 
 : 
  
 "Test Test <user2@example.com>" 
 , 
  
 "html" 
 : 
  
 "<html><div></div></html>" 
 , 
  
 "date" 
 : 
  
 "Wed, 12 Sep 2018 12:36:17 +0300" 
 , 
  
 "subject" 
 : 
  
 "eml test" 
  
 } 
 ] 
 

Script result

The following table lists the value for the script result output when using the Extract EML Dataaction:

Generate Token

Use the Generate Tokenaction to get a refresh token for the integration configuration with OAuth authentication. Use the authorization URL that you received in the Get Authorization action.

This action doesn't run on Google SecOps entities.

Action inputs

The Generate Tokenaction requires the following parameters:

Action outputs

The Generate Tokenaction provides the following outputs:

Output messages

The Generate Tokenaction can return the following output messages:

Script result

The following table lists the value for the script result output when using the Generate Tokenaction:

Get Account Out Of Facility Settings

Use the Get Account Out Of Facility Settingsaction to get the account out of facility (OOF) settings for the provided Google SecOps User entity.

If the target user entity is a username and not an email, run the Active Directory Enrich Entitiesaction to retrieve an information about the user email that is stored in Active Directory.

This action runs on the Google SecOps User entity.

Action inputs

None.

Action outputs

The Get Account Out Of Facility Settingsaction provides the following outputs:

Case wall table

The Get Account Out Of Facility Settingsaction returns the following table on a Case Wall in Google SecOps:

Table name: Out of Facility Settings

Table columns:

• Parameter
• Value

Entity enrichment

The Get Account Out Of Facility Settingsaction supports the following entity enrichment:

JSON result

The following example shows the JSON result output received when using the Get Account Out Of Facility Settingsaction:

  Oo 
 f 
 Se 
 tt 
 i 
 n 
 gs(s 
 tate 
 ='Disabled' 
 , 
  
 ex 
 ternal 
 _audie 
 n 
 ce='All' 
 , 
  
 s 
 tart 
 =EWSDa 
 te 
 Time( 
 2020 
 , 
  
 10 
 , 
  
 1 
 , 
  
 3 
 , 
  
 0 
 , 
  
 t 
 zi 
 nf 
 o=<UTC>) 
 , 
  
 e 
 n 
 d=EWSDa 
 te 
 Time( 
 2020 
 , 
  
 10 
 , 
  
 2 
 , 
  
 3 
 , 
  
 0 
 , 
  
 t 
 zi 
 nf 
 o=<UTC>)) 
 

Output messages

The Get Account Out Of Facility Settingsaction can return the following output messages:

Get Authorization

Use the Get Authorizationaction to obtaining a link with the access code for the integration configuration with OAuth authentication. Copy the link and use it in the Generate Token action to get the refresh token.

This action doesn't run on Google SecOps entities.

Action inputs

None.

Action outputs

The Get Authorizationaction provides the following outputs:

Case wall link

This Get Authorizationaction returns the following link:

Name: Browse to this authorization link

Link: AUTHORIZATION_LINK

Output messages

This Get Authorizationaction can return the following output messages:

Script result

The following table lists the value for the script result output when using the Get Authorizationaction:

Get Mail EML File

Use the Get Mail EML Fileaction to retrieve a message EML file.

This action runs on all Google SecOps entities.

Action inputs

The Get Mail EML Fileaction requires the following parameters:

Action outputs

The Get Mail EML Fileaction provides the following outputs:

Script result

The following table lists the value for the script result output when using the Get Mail EML Fileaction:

Move Mail to Folder

Use the Move Mail to Folderaction to move one or multiple emails from the source email folder to the other folder in a mailbox.

Depending on the use case, the action returns a different amount of information about processed emails in the JSON result.

If you select the Limit the amount of information in the JSON resultparameter, the JSON result contains only the following email fields: datetime_received , message_id , sender , subject , to_recipients . Otherwise, the JSON result contains all available information about the processed email.

If you select the Disable the Action JSON Resultparameter, the action doesn't return the JSON result at all.

The Move Mail to Folderaction doesn't run on Google SecOps entities.

Action inputs

The Move Mail to Folderaction requires the following parameters:

Action outputs

The Move Mail to Folderaction provides the following outputs:

Output messages

The Move Mail to Folderaction can return the following output messages:

Script result

The following table lists the value for the script result output when using the Move Mail to Folderaction:

Ping

Use the Pingaction to test a connection to the Microsoft Exchange instance.

You can execute this action can be manually and not as a part of the playbook flow.

This action doesn't run on Google SecOps entities.

Action inputs

N/A

Action outputs

The Pingaction provides the following outputs:

Output messages

The Pingaction can return the following output messages:

Script result

The following table lists the value for the script result output when using the Pingaction:

Save Mail Attachments To The Case

Use the Save Mail Attachments To The Caseaction to save email attachments from an email stored in the monitored mailbox to the Case Wall in Google SecOps.

This action doesn't run on Google SecOps entities.

Action inputs

The Save Mail Attachments To The Caseaction requires the following parameters:

Action outputs

The Save Mail Attachments To The Caseaction provides the following outputs:

Output messages

The Save Mail Attachments To The Caseaction can return the following output messages:

Script result

The following table lists the value for the script result output when using the Save Mail Attachments To The Caseaction:

Search Mails

Use the Search Mailsaction to search for specific emails in a configured mailbox using multiple search criteria. This action returns information about emails that were found in a mailbox in the JSON format.

This action doesn't run on Google SecOps entities.

Action inputs

The Search Mailsaction requires the following parameters:

Action outputs

The Search Mailsaction provides the following outputs:

Case wall table

The Search Mailsaction returns the following table on a Case Wall in Google SecOps:

Table title: Matching Mails

Table columns:

• Message_id
• Received Date
• Sender
• Recipients
• Subject
• Email body
• Attachment names(as a comma-separated list of attachment names)

If you select the Search in all mailboxes parameter, the action adds the Found in mailboxcolumn to the table to indicate which mailbox the email was found in.

JSON result

The following example shows the JSON result output received when using the Search Mailsaction:

  [ 
  
 { 
  
 "body" 
 : 
  
 "Mail Body" 
 , 
  
 "subject" 
 : 
  
 "Mail Subject" 
 , 
  
 "author" 
 : 
  
 "user_1@example.com" 
  
 }, 
  
 { 
  
 "body" 
 : 
  
 " " 
 , 
  
 "subject" 
 : 
  
 "Mail Subject" 
 , 
  
 "author" 
 : 
  
 "user_2@example.com" 
  
 } 
 ] 
 

Output messages

The Search Mailsaction can return the following output messages:

Script result

The following table lists the value for the script result output when using the Search Mailsaction:

   
 [ 
  
 { 
  
 "EntityResult" 
 : 
  
 { 
  
 "attachments" 
 : 
  
 [], 
  
 "sensitivity" 
 : 
  
 "Normal" 
 , 
  
 "effective_rights" 
 : 
  
 " test" 
 , 
  
 "has_attachments" 
 : 
  
 "false" 
 , 
  
 "last_modified_name" 
 : 
  
 "mail" 
 , 
  
 "is_submitted" 
 : 
  
 "false" 
  
 }, 
  
 "Entity" 
 : 
  
 "example@example.com" 
  
 } 
  
 ] 
  
 

Send Mail

Use the Send Mailaction to send an email from a specific mailbox to a list of recipients. You can use this action to inform users about the following:

• Specific alerts created in Google SecOps.
• Results of the specific alerts processing.

This action doesn't run on Google SecOps entities.

Action inputs

The Send Mailaction requires the following parameters:

Action outputs

The Send Mailaction provides the following outputs:

JSON result

The following example shows the JSON result output received when using the Send Mailaction:

  { 
  
 "mime_content" 
 : 
  
 "b'From: exchange_online_test\\r\\n\\t<test_user@example.com>\\r\\nTo: =?iso-8859-8-i?B?4ifp6e7xIOHl8OM=?=\\r\\n\\t<example@example.com>\\r\\nSubject: test email\\r\\nThread-Topic: test email\\r\\nThread-Index: AQHZI2sS6qOMRJL5hkWATMpRN9fv4Q==\\r\\nDate: Sun, 8 Jan 2023 14:11:15 +0000\\r\\nMessage-ID: <message_id@example>\\r\\nAccept-Language: en-US\\r\\nContent-Language: en-US\\r\\nX-MS-Has-Attach:\\r\\nContent-Type: multipart/alternative;\\r\\n\\tboundary=\"_000_1673187082551404817642532883270906446a69558cb5108_\"\\r\\nMIME-Version: 1.0\\r\\n\\r\\n--_000_1673187082551404817642532883270906446a69558cb5108_\\r\\nContent-Type: text/plain; charset=\"iso-8859-8-i\"\\r\\nContent-Transfer-Encoding: quoted-printable\\r\\n\\r\\ntest content\\r\\n\\r\\n--_000_1673187082551404817642532883270906446a69558cb5108_\\r\\nContent-Type: text/html; charset=\"iso-8859-8-i\"\\r\\nContent-Transfer-Encoding: quoted-printable\\r\\n\\r\\n<html>\\r\\n<head>\\r\\n<meta http-equiv=3D\"Content-Type\" content=3D\"text/html; charset=3Diso-8859-=\\r\\n8-i\">\\r\\n</head>\\r\\n<body>\\r\\n<p>test content </p>\\r\\n</body>\\r\\n</html>\\r\\n\\r\\n--_000_1673187082551404817642532883270906446a69558cb5108_--\\r\\n'" 
 , 
  
 "_id" 
 : 
  
 "ItemId(id='AAMkAGMwYTc3NmZmLTM4YjYtNGJmMC1hNTllLWJmNDdlZTE0YTg4ZQBGAAAAAABZKh7ro7RoSpjbI663J/SqBwDjM1k0xgBMR6sDaC+Azo7rAAAAAAEJAADjM1k0xgBMR6sDaC+Azo7rAAAAEth6AAA=', changekey='CQAAABYAAADjM1k0xgBMR6sDaC+Azo7rAAAAEm3h')" 
 , 
  
 "parent_folder_id" 
 : 
  
 "ParentFolderId(id='AAMkAGMwYTc3NmZmLTM4YjYtNGJmMC1hNTllLWJmNDdlZTE0YTg4ZQAuAAAAAABZKh7ro7RoSpjbI663J/SqAQDjM1k0xgBMR6sDaC+Azo7rAAAAAAEJAAA=', changekey='AQAAAA==')" 
 , 
  
 "item_class" 
 : 
  
 "IPM.Note" 
 , 
  
 "subject" 
 : 
  
 "test email" 
 , 
  
 "sensitivity" 
 : 
  
 "Normal" 
 , 
  
 "text_body" 
 : 
  
 "test content\r\n" 
 , 
  
 "body" 
 : 
  
 "<html><head>\r\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"></head><body><p>test content </p></body></html>" 
 , 
  
 "attachments" 
 : 
  
 [], 
  
 "datetime_received" 
 : 
  
 "2023-01-08 14:11:15+00:00" 
 , 
  
 "size" 
 : 
  
 2928 
 , 
  
 "categories" 
 : 
  
 null 
 , 
  
 "importance" 
 : 
  
 "Normal" 
 , 
  
 "in_reply_to" 
 : 
  
 null 
 , 
  
 "is_submitted" 
 : 
  
 true 
 , 
  
 "is_draft" 
 : 
  
 true 
 , 
  
 "is_from_me" 
 : 
  
 false 
 , 
  
 "is_resend" 
 : 
  
 false 
 , 
  
 "is_unmodified" 
 : 
  
 false 
 , 
  
 "headers" 
 : 
  
 null 
 , 
  
 "datetime_sent" 
 : 
  
 "2023-01-08 14:11:15+00:00" 
 , 
  
 "datetime_created" 
 : 
  
 "2023-01-08 14:11:15+00:00" 
 , 
  
 "reminder_due_by" 
 : 
  
 null 
 , 
  
 "reminder_is_set" 
 : 
  
 false 
 , 
  
 "reminder_minutes_before_start" 
 : 
  
 0 
 , 
  
 "display_cc" 
 : 
  
 null 
 , 
  
 "display_to" 
 : 
  
 "\u05d2'\u05d9\u05d9\u05de\u05e1 \u05d1\u05d5\u05e0\u05d3" 
 , 
  
 "has_attachments" 
 : 
  
 false 
 , 
  
 "vote_request" 
 : 
  
 null 
 , 
  
 "culture" 
 : 
  
 "en-US" 
 , 
  
 "effective_rights" 
 : 
  
 "EffectiveRights(create_associated=False, create_contents=False, create_hierarchy=False, delete=True, modify=True, read=True, view_private_items=True)" 
 , 
  
 "last_modified_name" 
 : 
  
 "exchange_online_test" 
 , 
  
 "last_modified_time" 
 : 
  
 "2023-01-08 14:11:15+00:00" 
 , 
  
 "is_associated" 
 : 
  
 false 
 , 
  
 "web_client_read_form_query_string" 
 : 
  
 "https://example.com/&exvsurl=1&viewmodel=ReadMessageItem" 
 , 
  
 "web_client_edit_form_query_string" 
 : 
  
 null 
 , 
  
 "conversation_id" 
 : 
  
 "ConversationId(id='AAQkAGMwYTc3NmZmLTM4YjYtNGJmMC1hNTllLWJmNDdlZTE0YTg4ZQAQAOqjjESS+YZFgEzKUTfX7+E=')" 
 , 
  
 "unique_body" 
 : 
  
 "<html><body><div>\r\n<div>\r\n<p>test content </p></div></div>\r\n</body></html>" 
 , 
  
 "sender" 
 : 
  
 "Mailbox(name='exchange_online_test', email_address='test_user@example.com', routing_type='SMTP', mailbox_type='Mailbox')" 
 , 
  
 "to_recipients" 
 : 
  
 [ 
  
 "Mailbox(name=\"\u05d2'\u05d9\u05d9\u05de\u05e1 \u05d1\u05d5\u05e0\u05d3\", email_address='example@example.com', routing_type='SMTP', mailbox_type='Mailbox')" 
  
 ], 
  
 "cc_recipients" 
 : 
  
 null 
 , 
  
 "bcc_recipients" 
 : 
  
 null 
 , 
  
 "is_read_receipt_requested" 
 : 
  
 false 
 , 
  
 "is_delivery_receipt_requested" 
 : 
  
 false 
 , 
  
 "conversation_index" 
 : 
  
 "b'\\x01\\x01\\xd9#k\\x12\\xea\\xa3\\x8cD\\x92\\xf9\\x86E\\x80L\\xcaQ7\\xd7\\xef\\xe1'" 
 , 
  
 "conversation_topic" 
 : 
  
 "test email" 
 , 
  
 "author" 
 : 
  
 "Mailbox(name='exchange_online_test', email_address='test_user@example.com', routing_type='SMTP', mailbox_type='Mailbox')" 
 , 
  
 "message_id" 
 : 
  
 "<167318708255.14048.17642532883270906446@a69558cb5108>" 
 , 
  
 "is_read" 
 : 
  
 true 
 , 
  
 "is_response_requested" 
 : 
  
 false 
 , 
  
 "references" 
 : 
  
 null 
 , 
  
 "reply_to" 
 : 
  
 null 
 , 
  
 "received_by" 
 : 
  
 null 
 , 
  
 "received_representing" 
 : 
  
 null 
 , 
  
 "vote_response" 
 : 
  
 null 
 , 
  
 "email_date" 
 : 
  
 1673187075 
 } 
 

In addition to the mail object JSON technical result, the action also returns the message ID and the date when an email was sent. The additional data is used in the Wait for Mailaction, if needed:

  { 
 … 
 "message_id" 
 : 
  
 "<message_id@example.com>" 
 , 
 "email_date" 
 : 
  
 "1583916838" 
 ... 
 } 
 

Output messages

The Send Mailaction can return the following output messages:

Script result

The following table lists the value for the script result output when using the Send Mailaction:

Send Mail HTML

Use the Send Mail HTMLaction to send an email with the HTML template content. The Send to field is comma-separated.

You can configure the sender name in the email client under the account settings.

This action runs on all Google SecOps entities.

Action inputs

The Send Mail HTMLaction requires the following parameters:

Action outputs

The Send Mail HTMLaction provides the following outputs:

Script result

The following table lists the value for the script result output when using the Pingaction:

Send Thread Reply

Use the Send Thread Replyaction to send a message as a reply to the email thread.

This action doesn't run on Google SecOps entities.

Action inputs

The Send Thread Replyaction requires the following parameters:

Action output

The Send Thread Replyaction provides the following outputs:

Output messages

The Send Thread Replyaction can return the following output messages:

Script result

The following table lists the value for the script result output when using the Send Thread Replyaction:

Send Vote Mail

Use the Send Vote Mailaction to send emails with preconfigured answer options to include users who don't have access to the Google SecOps UI in automated processes.

This action supports the vote feature only if the recipients use Exchange to properly view and select the vote options.

This action doesn't run on Google SecOps entities.

Action inputs

The Send Vote Mailaction requires the following parameters:

Action outputs

The Send Vote Mailaction provides the following outputs:

JSON result

The following example shows the JSON result output received when using the Send Vote Mailaction:

  { 
 … 
 "message_id" 
 : 
  
 "example@example.com>" 
 , 
 "email_date" 
 : 
  
 "1583916838" 
 ... 
 } 
 

Output messages

The Send Vote Mailaction can return the following output messages:

Script result

The following table lists the value for the script result output when using the Send Vote Mailaction:

Wait for Mail From User

Use the Wait for Mail From Useraction to wait for the user response based on an email sent with the Send Mail action.

This action works asynchronously. Adjust the script timeout value in the Google SecOps IDE for the action as needed.

This action doesn't run on Google SecOps entities.

Action inputs

The Wait for Mail From Useraction requires the following parameters:

Action outputs

The Wait for Mail From Useraction provides the following outputs:

Case wall attachment

The Wait for Mail From Useraction returns the following attachment on a Case wall in Google SecOps:

The attachment type is Entityis mapped to the recipient who replied to the message_id that the Google SecOps server tracks the responses for.

JSON result

As a JSON result, the action returns a combination of the two following outputs:

1. A mail object JSON output for the email with a tracked response.

   The action tracks the email response using message_id .

2. A JSON output for the process of tracking responses from users.

The method to merge the output data is defined at the implementation stage.

The flow for the mail object JSON output is as follows:

1. the action waits for at least one user response to proceed.

2. After receiving the response from the first user, the action updates the JSON result and proceeds with action results.

     { 
    "Responses" 
    : 
    {[ 
     
    "user1@example.com" 
    : 
     
    "Approved" 
    , 
     
    "user2@example.com" 
    : 
     
    "" 
    , 
     
    "user3@example.com" 
    : 
     
    "" 
    ]} 
    } 
    
   

The flow for the tracking response process output is as follows:

1. The action waits for all user responses to proceed.

2. After receiving replies from users or reaching timeout, the action updates the JSON result.

   In this case, if the action is waiting for responses from all recipients and the timeout is reached while waiting for user responses, the action returns the handled_timeout error.

     { 
    "Responses" 
    : 
    {[ 
     
    "user1@example.com" 
    : 
     
    "Approved" 
    , 
     
    "user2@example.com" 
    : 
     
    "Approved" 
    , 
     
    "user3@example.com" 
    : 
     
    "Timeout" 
    ]} 
    } 
    
   

Output messages

The Wait for Mail From Useraction can return the following output messages:

Wait for Vote Mail Results

Use the Wait for Vote Mail Resultsaction to wait for and retrieve the responses of a vote mail that was sent using the Send Vote Mailaction. The Wait for Vote Mail Resultsaction forwards the retrieved responses to Google SecOps.

To properly track and retrieve the vote results, track the vote email. For more information, see the Send Vote Mail action.

This action doesn't run on Google SecOps entities.

Action inputs

The Wait for Vote Mail Resultsaction requires the following parameters:

Action outputs

The Wait for Vote Mail Resultsaction provides the following outputs:

JSON result

The following example shows the JSON result output received when using the Wait for Vote Mail Resultsaction:

  { 
  
 "Responses" 
 : 
  
 [{ 
  
 "recipient" 
 : 
  
 "user@example.com" 
 , 
  
 "content" 
 : 
  
 "Approve" 
  
 }] 
 } 
 

Output messages

The Wait for Vote Mail Resultsaction can return the following output messages:

Script result

The following table lists the value for the script result output when using the Wait for Vote Mail Resultsaction:

The Block Sender and Domain functionality

One of the most common use cases for email management and security is to contain existing threats, like phishing emails, that are already in the organization inbox, and then block a suspicious sender or a domain to protect your organization from future attacks and prevent possible security breaches.

In Google SecOps, the Exchange integration provides you with the Block Sender and Domainfunctionality comprising of the following sequential stages:

1. Protection within the organization.

   Use the Block Sender by Message IDaction to add the sender to the blocklist using the Mark as Junk EWS service.

2. Protection outside of the organization with inbox rules.

   Create inbox rules to add them on the client level and automatically prevent harmful emails from reaching your organization mailboxes.

3. Protection outside of the organization with server inbox rules.

   Create server inbox rules to prevent suspicious emails from even reaching the organization.

You can learn more about these stages in the following section.

Use case

The following use case shows an example of a security breach that is a suspicious and potentially harmful email.

After discovering that a suspicious and harmful email has compromised several mailboxes of your organization, the routine for handling this kind of threat is as follows:

1. Remediate the threat with the Block Sender by Message IDaction.
2. Handle compromised mailboxes.
3. Add a protection against the received suspicious email in other mailboxes as well.

Remediate threat

To remediate the threat, run the Block Sender by Message IDaction to obtain the parameters for investigation and more information about the suspicious email. The action also lets you examine only the compromised mailboxes and handle the threat contained in them.

The Block Sender by Message IDaction triggers the Exchange EWS Mark as Junk service to do the following:

1. Move the suspicious email to the Junkfolder.
2. Add the email sender to the Blocked Sender Listof the investigated mailbox.

For more information about using the Mark as Junk service, see Add and remove email addresses from the Blocked Sender Listby using EWS in Exchange in Microsoft product documentation.

On one hand, remediating a threat with the Block Sender by Message IDaction targets only compromised mailboxes and can be automatic. On the other hand, the action can neither block a sender in the uncompromised mailboxes nor add domains using API to the Blocked Sender List.

Handle compromised mailboxes

After remediating a threat, the next steps are to handle compromised mailboxes and protect every mailbox in the organization from any malicious senders, even the potential ones.

To handle compromised mailboxes, execute the inbox rules action set that consists of the following actions:

1. Add Domains to Exchange-Siemplify Inbox Rules
2. Add Senders to Exchange-Siemplify Inbox Rule
3. Delete Exchange-Siemplify Inbox Rules
4. List Exchange-Siemplify Inbox Rules
5. Remove Domains from Exchange-Siemplify Inbox Rules
6. Remove Senders from Exchange-Siemplify Inbox Rules

To learn more about the service used in the actions, see Manage inbox rules in Exchange in Microsoft product documentation.

The Exchange integration lets you use a set of the following predefined rules for the most common operations:

• Siemplify – Senders List – Move To Junk
• Siemplify – Senders List – Delete
• Siemplify – Senders List – Permanently Delete
• Siemplify – Domains List – Move To Junk
• Siemplify – Domains List – Delete
• Siemplify – Domains List – Permanently Delete

Permanently delete the malicious sender emails

To maintain the same list of rules in all mailboxes, add the rules for the administrator user. To apply the administrator rules to other users, run the operation on all mailboxes.

To permanently delete the malicious sender emails, complete the following steps:

1. In Google SecOps, from the administrator account, run the Add Senders to Exchange-Siemplify Inbox Ruleaction. Enter the malicious sender email.

2. Choose the appropriate rule from the list to define how to manage a suspicious email. To permanently delete malicious emails, select the Siemplify – Senders List – Permanently Deleterule.

   The action updates the inbox rule with the new malicious sender.

3. Select the Perform action in all mailboxes parameter to apply the rule to all mailboxes.

   If the rule doesn't exist in a mailbox, the action creates it. If the rule already exists in a mailbox, the action updates it with the new parameter values.

4. To add a protection against the received suspicious email in other mailboxes and block the malicious sender domain, select the Should add senders' domain to the corresponding Domains List rule as well? parameter.

5. Review other parameters in the action and adjust them if necessary.

The Add Senders to Exchange-Siemplify Inbox Ruleaction updates multiple rules at a time according to the Mailboxes to process in one batch parameter. The Add Senders to Exchange-Siemplify Inbox Ruleaction works on both senders and domains, applies to all mailboxes regardless of whether there's a suspicious email received, and can be automatic.

The end user can delete the applied rules for their mailbox. Applying administrator rules to other mailboxes automatically removes disabled private inbox rules.

The Block Sender and Domain actions

Before running the actions for the Block Sender and Domain functionality, configure the minimal required permissions .

Add Domains to Exchange-Siemplify Inbox Rules

Use the Add Domains to Exchange-Siemplify Inbox Rulesaction to get a list of domains as a parameter or work with the Google SecOps Domainentity if the parameters are empty. This action is available only for Google SecOps version 5.6 and later.

Before running this action, configure the required action permissions .

You can create or update a rule by filtering the domains from your mailboxes. You can modify this action using the Rule to add Domains to parameter.

The Add Domains to Exchange-Siemplify Inbox Rulesaction modifies the current inbox rules of your users with EWS.

This action runs asynchronously. Adjust the script timeout value in the Google SecOps IDE for the action as needed.

If you don't set any parameters and your Google SecOps version is 5.6 and later, this action runs on the Domainentity.

Action inputs

The Add Domains to Exchange-Siemplify Inbox Rulesaction requires the following parameters:

Action outputs

The Add Domains to Exchange-Siemplify Inbox Rulesaction provides the following outputs:

Output messages

The Add Domains to Exchange-Siemplify Inbox Rulesaction can return the following output messages:

Script result

The following table lists the value for the script result output when using the Add Domains to Exchange-Siemplify Inbox Rulesaction:

Add Senders to Exchange-Siemplify Inbox Rule

Use the Add Senders to Exchange-Siemplify Inbox Ruleaction to obtain a list of email addresses as a or work with the Google SecOps Userentity if the parameters are empty. You can use regular expressions for this action.

You can create a new rule by filtering the senders from your mailboxes. You can modify this action using the Rule to add senders to parameter.

Before running this action, make sure to configure the required action permissions .

The Add Senders to Exchange-Siemplify Inbox Ruleaction modifies the current inbox rules of your users using EWS.

This action runs asynchronously. Adjust the script timeout value in the Google SecOps IDE for the action as needed.

If the email regular expression is valid and you don't configure any parameters, this action runs on the Userentity.

Action inputs

The Add Senders to Exchange-Siemplify Inbox Ruleaction requires the following parameters:

Action outputs

The Add Senders to Exchange-Siemplify Inbox Ruleaction provides the following outputs:

Output messages

The Add Senders to Exchange-Siemplify Inbox Ruleaction can return the following output messages:

Script result

The following table lists the value for the script result output when using the Add Senders to Exchange-Siemplify Inbox Ruleaction:

Block Sender by Message ID

Use the Block Sender by Message IDaction to obtain a list of message IDs as a parameter and mark the list as junk.

In this action, marking an item as junk adds the email sender address to the Blocked Senders Listand moves the item to the Junk folder.

This action runs asynchronously. Adjust the script timeout value in the Google SecOps IDE for the action as needed.

The Block Sender by Message IDaction supports only Exchange Server version 2013 and later. If you use an earlier version, the action fails with the corresponding message.

A message from the suspicious email address must exist in the user mailbox before you add the email address to or remove it from the Blocked Senders List.

The Block Sender by Message IDaction doesn't run on Google SecOps entities.

Action inputs

The Block Sender by Message IDaction requires the following parameters:

Action outputs

The Block Sender by Message IDaction provides the following outputs:

Output messages

The Block Sender by Message IDaction can return the following output messages:

Script result

The following table lists the value for the script result output when using the Block Sender by Message IDaction:

Delete Exchange-Siemplify Inbox Rules

Use the Delete Exchange-Siemplify Inbox Rulesaction to get a rule name as a parameter and delete it from all specified mailboxes.

Before running this action, configure the required action permissions .

The Delete Exchange-Siemplify Inbox Rulesaction modifies the current inbox rules of your users with EWS.

This action runs asynchronously. Adjust the script timeout value in the Google SecOps IDE for the action as needed.

This action doesn't run on Google SecOps entities.

Action inputs

The Delete Exchange-Siemplify Inbox Rulesaction requires the following parameters:

Action outputs

The Delete Exchange-Siemplify Inbox Rulesaction provides the following outputs:

Output messages

The Delete Exchange-Siemplify Inbox Rulesaction can return the following output messages:

Script result

The following table lists the value for the script result output when using the Delete Exchange-Siemplify Inbox Rulesaction:

List Exchange-Siemplify Inbox Rules

Use the List Exchange-Siemplify Inbox Rulesaction to get a rule name from the Exchange-Siemplify Inbox rules as a parameter and list it. If there are no mailboxes to list, the action lists the rules for the logged in user.

Before running this action, configure the required action permissions .

The List Exchange-Siemplify Inbox Rulesaction modifies the current inbox rules of your users with EWS.

This action runs asynchronously. Adjust the script timeout value in the Google SecOps IDE for the action as needed.

This action doesn't run on Google SecOps entities.

Action inputs

The List Exchange-Siemplify Inbox Rulesaction requires the following parameters:

Action outputs

The List Exchange-Siemplify Inbox Rulesaction provides the following outputs:

JSON result

The following example shows the JSON result output received when using the List Exchange-Siemplify Inbox Rulesaction:

  { 
  
 { 
  
 "id" 
 : 
  
 "example_id" 
 , 
  
 "name" 
 : 
  
 "Siemplify - Domains List - Delete" 
 , 
  
 "priority" 
 : 
  
 1 
 , 
  
 "is_enabled" 
 : 
  
 True 
 , 
  
 "conditions" 
 : 
  
 { 
  
 "domains" 
 : 
  
 [ 
 "EXAMPLE.COM" 
 , 
  
 "EXAMPLE.CO" 
 ], 
  
 "addresses" 
 : 
  
 [] 
  
 }, 
  
 "actions" 
 : 
  
 "move_to_folder" 
  
 } 
 } 
 

Output messages

The List Exchange-Siemplify Inbox Rulesaction can return the following output messages:

Script result

The following table lists the value for the script result output when using the List Exchange-Siemplify Inbox Rulesaction:

Remove Domains from Exchange-Siemplify Inbox Rules

Use the Remove Domains from Exchange-Siemplify Inbox Rulesto get a list of domains as a parameter or work on the Domainentity if the parameters are not provided. This action is available only for Google SecOps version 5.6 and later. You can remove the provided domains from the existing rules.

Before running this action, configure the required action permissions .

The Remove Domains from Exchange-Siemplify Inbox Rulesaction modifies the current inbox rules of your users with EWS.

This action runs asynchronously. Adjust the script timeout value in the Google SecOps IDE for the action as needed.

If you don't configure any parameters, this action runs on the Google SecOps Domainentity.

Action inputs

The Remove Domains from Exchange-Siemplify Inbox Rulesaction requires the following parameters:

Action outputs

The Remove Domains from Exchange-Siemplify Inbox Rulesaction provides the following outputs:

Output messages

The Remove Domains from Exchange-Siemplify Inbox Rulesaction can return the following output messages:

Script result

The following table lists the value for the script result output when using the Remove Domains from Exchange-Siemplify Inbox Rulesaction:

Remove Senders from Exchange-Siemplify Inbox Rules

Use the Remove Senders from Exchange-Siemplify Inbox Rulesget a list of email senders as a parameter or work with the Userentity if the parameters are not provided.

You can remove the provided senders from the existing rules.

Before running this action, configure the required action permissions .

The Remove Senders from Exchange-Siemplify Inbox Rulesaction modifies the current inbox rules of your users with EWS.

This action runs asynchronously. Adjust the script timeout value in the Google SecOps IDE for the action as needed.

If no parameters are provided, this action runs on the Google SecOps Userentity.

Action inputs

The Remove Senders from Exchange-Siemplify Inbox Rulesaction requires the following parameters:

Action outputs

The Remove Senders from Exchange-Siemplify Inbox Rulesaction provides the following outputs:

Output messages

The Remove Senders from Exchange-Siemplify Inbox Rulesaction can return the following output messages:

Script result

The following table lists the value for the script result output when using the Remove Senders from Exchange-Siemplify Inbox Rulesaction:

Unblock Sender by Message ID

Use the Unblock Sender by Message IDaction to obtain a list of message IDs as a parameter and unmark it as junk.

In this action, unmarking an item as junk removes the sender email address from the Blocked Senders List. To move an item back to the inbox folder, select the Move items back to Inbox? parameter in the action parameters.

The Unblock Sender by Message IDruns asynchronously. Adjust the script timeout value in the Google SecOps IDE for the action as needed.

This action supports only Exchange Server version 2013 and later. If you use an earlier version, the action fails with the corresponding message.

A message from the suspicious email address must exist in the user mailbox before you add the email address to or remove it from the Blocked Senders List.

This action doesn't run on Google SecOps entities.

Action inputs

The Unblock Sender by Message IDaction requires the following parameters:

Action outputs

The Unblock Sender by Message IDaction provides the following outputs:

Output messages

The Unblock Sender by Message IDaction can return the following output messages:

Script result

The following table lists the value for the script result output when using the Unblock Sender by Message IDaction:

Connectors

For detailed instructions on how to configure a connector in Google SecOps, see Ingest your data (connectors) .

When configuring connectors and actions, pay attention to spaces and special symbols in your credentials. If the integration rejects your credentials, check the spelling.

To configure the selected connector use the connector-specific parameters listed in the following tables:

• Exchange EML Connector configuration parameters
• Exchange Mail Connector configuration parameters
• Exchange Mail Connector V2 configuration parameters
• Exchange Mail Connector v2 with OAuth Authentication configuration parameters

Exchange EML Connector

The Exchange EML Connectorretrieves emails from the Exchange server and parses them. If there are attached EML files, the connector attaches them to the case as events. If there are multiple EML attachments in the email, the connector creates multiple cases and ingests every attachment as one event for each case.

Known restrictions

1. Microsoft 365 and basic authentication.

   • The Exchange EML Connectordoesn't support basic authentication anymore and cannot be used with Microsoft 365. For Microsoft 365, use the Exchange Mail Connector v2 with OAuth.

2. The Exchange EML Connectorspecifics are as follows:

   • The connector creates Google SecOps alerts only from emails that contain EML or MSG file attachments.

   • The connector ignores emails that don't contain mail attachments.

Connector inputs

The Exchange EML Connectorrequires the following parameters:

Connector rules

• The Exchange EML Connectordoesn't support blocklist and dynamic list rules.

• The Exchange EML Connectorsupports proxies.

Exchange Mail Connector

Use the Exchange Mail Connectorto communicate with the Exchange server and search for emails in near real time and forward them for translating and contextualizing as alerts in Google SecOps cases.

This section refers to communicating with a Microsoft Exchange 2007-2019 Server or Microsoft 365 using Exchange Web Services (EWS) and explains how Google SecOps interacts with the Exchange Mail interface and the assisted workflows and activities within the application.

The Exchange Mail Connectorenables retrieving emails from the configured Exchange server that scans each server and subsequently creates new cases. At least one initial email occurrence is included in each scenario. The main difference is that Exchange Mail connectorremoves emails and generates events that parse the EML or MSG data in the Exchange server's original emails.

Known restrictions

1. Microsoft 365 and basic authentication.

   • The Exchange Mail Connectordoesn't support basic authentication anymore and cannot be used with Microsoft 365. For Microsoft 365, use the Exchange Mail Connector v2 with OAuth.

2. The Exchange Mail Connectorspecifics are as follows:

   • The connector creates Google SecOps alerts only from original received emails that are contained in the mailbox.

   • The connector ignores attached EML and MSG files.

Connector inputs

The Exchange Mail Connectorrequires the following parameters:

Configure dynamic list rules

In the dynamic list section, to extract specific values from emails using regular expressions, add a rule in the following format:

 '<var>FIELD_NAME</var>': '<var>REGULAR_EXPRESSION</var>' 

For example, to extract the message ID from email, enter the following rule:

message-id: (?<=Message-ID: ).*

Connector rules

• The Exchange Mail Connectorsupports proxies.

• The Exchange Mail Connectordoesn't support the blocklist rule.

• The Exchange integration uses the dynamic list section to define regular expressions and enable the following:

  • Parse email content.
  • Add specific fields based on the regular expression that match the email event.

Exchange Mail Connector v2

Use the Exchange Mail Connector v2to connect to the mail server and check for new emails in a specific mailbox.

If a new email appears, it triggers the connector to create and ingest in Google SecOps a new alert that contains information from the new email.

If there are no new emails, the Exchange Mail Connector v2completes the current iteration and stands by for a defined period before the upcoming iteration run.

Connector iteration flow

After each run, the Exchange Mail Connector v2updates the timestamp file with the date and time of the last run. The Exchange Mail Connector v2extracts actionable information for a case from the email as a mail object technical result, such as, but not limited to:

• Email sender and recipient.
• Email subject.
• Email body.
• URLs in the email.
• Attachments, if any.

After the Exchange Mail Connector v2creates the alerts (cases) to ingest into Google SecOps, the connector iteration completes.

Based on the case data provided by the Exchange Mail Connector v2, the Google SecOps server runs ETL procedures to ingest new alerts and create or update cases. If there are related playbooks defined, Google SecOps executes playbooks to enrich the case, generate insights, and perform automatic actions.

Work with Alert Name Template and Case Name Template

The Alert Name Template and Case Name Template parameters let you overwrite the way alert and case name are created. Only the first alert sets the case or alert name, all other subsequent alerts don't affect the name.

The example of a Google SecOps event is as follows:

  { 
  
 "event" 
 : 
  
 { 
  
 "type" 
 : 
  
 "Phishing" 
  
 "name" 
 : 
  
 "Example Event" 
 , 
  
 "id" 
 : 
  
 "1" 
  
 } 
 } 
 

To create a custom name for a Google SecOps alert, use the following template:

  [ 
  EVENT_TYPE 
 
 ] 
  
 - 
  
 [ 
  EVENT_NAME 
 
 ] 
 

For example, to create a Google SecOps alert named Phishing – Example Event, the template is as follows:

  [ 
 Phishi 
 n 
 g 
 ] 
  
 - 
  
 [ 
 Example 
  
 Eve 
 nt 
 ] 
 

Connector inputs

In Exchange Mail Connector v2, the following parameters can affect email processing:

• Original Received Mail Prefix
• Attached Mail File Prefixes
• Create a Separate Siemplify Alert per Attached Mail File?

To map the to and from fields of the processed emails, the connector creates the following sets of fields:

1. Regular to and from fields that contain email addresses in the following format: email@example .

2. to_raw and from_raw fields that contain only email address as a value in the following format: email@example .

The Exchange Mail Connector v2requires the following parameters:

Connector rules

• The Exchange Mail Connector v2supports proxy.

• The Exchange Mail Connector v2doesn't support the blocklist rule.

• The Exchange integration uses the dynamic list section for defining regular expressions to enable the following:

  • Parse email content.
  • Add specific fields based on the regular expression matches to the email event.

Exchange Mail Connector v2 with OAuth Authentication

Use the Exchange Mail Connector v2 with OAuthto monitor specific mailboxes on Microsoft 365 mail servers that require OAuth authentication. You can use the Get Authorization and Generate Token actions to obtain refresh token required for the connector configuration.

To run the Exchange Mail Connector v2 with OAuth, configure the integration to support OAuth authentication.

Work with Alert Name Template and Case Name Template

The Alert Name Template and Case Name Template parameters enable you to overwrite the way alert and case name is created.

The example of a Google SecOps event is as follows:

  { 
  
 "event" 
 : 
  
 { 
  
 "type" 
 : 
  
 "Phishing" 
  
 "name" 
 : 
  
 "Example Event" 
 , 
  
 "id" 
 : 
  
 "1" 
  
 } 
 } 
 

To create a custom name for a Google SecOps alert, use the following template:

  [ 
  EVENT_TYPE 
 
 ] 
  
 - 
  
 [ 
  EVENT_NAME 
 
 ] 
 

For example, to create a Google SecOps alert named Phishing – Example Event, the template is as follows:

  [ 
 Phishi 
 n 
 g 
 ] 
  
 - 
  
 [ 
 Example 
  
 Eve 
 nt 
 ] 
 

Connector inputs

In Exchange Mail Connector v2 with OAuth, the following parameters can affect email processing:

• Original Received Mail Prefix
• Attached Mail File Prefixes
• Create a Separate Siemplify Alert per Attached Mail File?

To map the to and from fields of the processed emails, the connector creates two following sets of fields:

1. Regular to and from fields that contain email addresses, such as email@example .

2. to_raw and from_raw fields that contain only email address as a value, such as email@example .

The Exchange Mail Connector v2 with OAuthrequires the following parameters:

Jobs

Before configuring jobs for the Exchange integration, make sure that your Google SecOps platform version supports them.

Refresh Token Renewal Job

The goal of the Refresh Token Renewal Jobis to periodically update the refresh token used in the integration.

By default, the refresh token expires every 90 days. It is recommended to run this job every 7 or 14 days to make sure that the refresh token is up to date.

Job inputs

The Refresh Token Renewal Jobrequires the following parameters:

Need more help? Get answers from Community members and Google SecOps professionals.