https://community.splunk.com/t5/Splunk-SOAR/O365-Integration-for-SOAR-Ingest-emails/m-p/570195#M711 <P>Hi all,<BR /><BR />Is there any app, method or guidance for ingesting emails directly form a O365 mailbox?<BR /><BR />So a use case for us would be:</P><UL><LI>We have a mailbox which receives Phishing Reports</LI><LI>SOAR logs onto the mailbox, downloads the unread mails + turns them into "Events"</LI><LI>Playbook begins working on these events - checking URL's, checking to/from addresses, maybe further triage based on o365 logs or whatever</LI><LI>Detonate mail/attachments in Sandbox, capture networks/process/file related results, e.g. Cuckoo</LI><LI>Playbook decides if mail is okay, suspicious, or phishing (or integrates with another tool to get that information - e.g. Proofpoint</LI><LI>All information made available to the analyst who reviews</LI></UL><P>In order to kick these off we'd need to be able to INGEST the email to begin with, but don't see any way to do that at present.<BR /><BR />If it doesn't exist I will write my own app for it - but don't want to reinvent the wheel if I don't have to <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>Thanks!</P><P>&nbsp;</P> Fri, 08 Oct 2021 10:49:48 GMT EdgeSync 2021-10-08T10:49:48Z https://community.splunk.com/t5/Splunk-SOAR/O365-Integration-for-SOAR-Ingest-emails/m-p/570195#M711 <P>Hi all,<BR /><BR />Is there any app, method or guidance for ingesting emails directly form a O365 mailbox?<BR /><BR />So a use case for us would be:</P><UL><LI>We have a mailbox which receives Phishing Reports</LI><LI>SOAR logs onto the mailbox, downloads the unread mails + turns them into "Events"</LI><LI>Playbook begins working on these events - checking URL's, checking to/from addresses, maybe further triage based on o365 logs or whatever</LI><LI>Detonate mail/attachments in Sandbox, capture networks/process/file related results, e.g. Cuckoo</LI><LI>Playbook decides if mail is okay, suspicious, or phishing (or integrates with another tool to get that information - e.g. Proofpoint</LI><LI>All information made available to the analyst who reviews</LI></UL><P>In order to kick these off we'd need to be able to INGEST the email to begin with, but don't see any way to do that at present.<BR /><BR />If it doesn't exist I will write my own app for it - but don't want to reinvent the wheel if I don't have to <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>Thanks!</P><P>&nbsp;</P> Fri, 08 Oct 2021 10:49:48 GMT https://community.splunk.com/t5/Splunk-SOAR/O365-Integration-for-SOAR-Ingest-emails/m-p/570195#M711 EdgeSync 2021-10-08T10:49:48Z https://community.splunk.com/t5/Splunk-SOAR/O365-Integration-for-SOAR-Ingest-emails/m-p/570199#M712 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/239379">@EdgeSync</a>&nbsp;there is an O365 App already that will be able to poll the inbox and create the necessary events:</P><P><A href="https://my.phantom.us/4.10/docs/app_reference/phantom_office365" target="_blank" rel="noopener">https://my.phantom.us/4.10/docs/app_reference/phantom_office365</A>&nbsp;</P><P>Actions:<BR /><A target="_blank"><SPAN class="link">run query</SPAN>&nbsp;</A><SPAN>- Search emails<BR /></SPAN><A target="_blank"><SPAN class="link">delete email</SPAN>&nbsp;</A><SPAN>- Delete emails<BR /></SPAN><A target="_blank"><SPAN class="link">copy email</SPAN>&nbsp;</A><SPAN>- Copy an email to a folder<BR /></SPAN><A><SPAN class="link">move email</SPAN><SPAN>&nbsp;</SPAN></A><SPAN>- Move an email to a folder<BR /></SPAN><A><SPAN class="link">block sender</SPAN><SPAN>&nbsp;</SPAN></A><SPAN>- Add the sender email into the block list</SPAN><BR /><A><SPAN class="link">unblock sender</SPAN><SPAN>&nbsp;</SPAN></A><SPAN>- Remove the sender email from the block list</SPAN><BR /><A><SPAN class="link">get email</SPAN><SPAN>&nbsp;</SPAN></A><SPAN>- Get an email from the server</SPAN><BR /><A><SPAN class="link">list addresses</SPAN><SPAN>&nbsp;</SPAN></A><SPAN>- Get the email addresses that make up a Distribution List</SPAN><BR /><A><SPAN class="link">lookup email</SPAN><SPAN>&nbsp;</SPAN></A><SPAN>- Resolve an Alias name or email address, into mailboxes</SPAN><BR /><A><SPAN class="link">update email</SPAN><SPAN>&nbsp;</SPAN></A><SPAN>- Update an email on the server</SPAN><BR /><A><SPAN class="link">on poll</SPAN><SPAN>&nbsp;</SPAN></A><SPAN>- Action handler for the ingest functionality</SPAN></P><P><SPAN>The on-poll action is run outside of a playbook and can be scheduled in the asset settings under the "ingest setting" tab when creating the asset to communicate with the 365 servers.&nbsp;</SPAN></P><P><SPAN>All you need is a playbook set to work on the label you assign to the ingested email events and if you want it to run automatically just set it to active and watch the magic <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span></SPAN></P><P>Apps are also now available on splunkbase now too:&nbsp;<A href="https://splunkbase.splunk.com/app/5829/" target="_blank" rel="noopener">https://splunkbase.splunk.com/app/5829/</A>&nbsp;</P> Fri, 08 Oct 2021 11:46:03 GMT https://community.splunk.com/t5/Splunk-SOAR/O365-Integration-for-SOAR-Ingest-emails/m-p/570199#M712 phanTom 2021-10-08T11:46:03Z https://community.splunk.com/t5/Splunk-SOAR/O365-Integration-for-SOAR-Ingest-emails/m-p/570208#M713 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/222170">@phanTom</a><BR /><BR />This is an excellent start, thank you very much. I was searching in SOAR App's window and it's not there, and also checked splunkbase, but found nothing.<BR /><BR />Best,<BR /><BR />EdgeSync</P> Fri, 08 Oct 2021 12:36:26 GMT https://community.splunk.com/t5/Splunk-SOAR/O365-Integration-for-SOAR-Ingest-emails/m-p/570208#M713 EdgeSync 2021-10-08T12:36:26Z