All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

EWS for O365 SOAR app. Message Id error.

Samu
Explorer
‎08-28-2023 04:55 AM

Hi all,

After running several actions from the EWS for O365 app (version 2.12.0) in phantom, the following error is received:

"API failed. Status code: ErrorInvalidIdMalformed. Message: Id is malformed.".

As per the app documentation, the expected field format for "Message ID" is not specified.

I´m  using the Message Id field extracted from the original email headers. Is this correct? Is there any other way to obtain the message id? Wich is the expected format?

Thanks in advance!

 

Labels (2)
0 Karma
Reply

Topper
Engager
‎02-29-2024 02:00 PM

How did you go with this? I'm facing the same issue.

0 Karma
Reply

Samu
Explorer
‎03-06-2024 05:39 AM

I finally found the way.  To obtain the ID, it is required to launch the "run query" action first. In the action fields, set the email address in the email field and the clean Message ID in the query field. Do not select any other option, nor fill any other field. 

Samu_0-1709732167663.png

 

In the response you should see another ID base64 like format. This is the ID used to operate emails. Keep in mind that this ID changes everytime you perform any action over the email (moving it to a different folder for instance).

Hope this helps.

 

Tags (1)
Reply

Topper
Engager
‎03-11-2024 09:18 PM

I thank you for the help. Turns out we were ingesting the required ID, but the field was email Id not Message-ID.

It's also listed under the Event INFO in the container under Details Source ID:

Got there in the end. 

Topper_1-1710217037493.png

Thank you for the query though, wouldn't have found this without it. 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...