All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

EWS for O365 SOAR app. Message Id error.

Samu
Explorer
‎08-28-2023 04:55 AM

Hi all,

After running several actions from the EWS for O365 app (version 2.12.0) in phantom, the following error is received:

"API failed. Status code: ErrorInvalidIdMalformed. Message: Id is malformed.".

As per the app documentation, the expected field format for "Message ID" is not specified.

I´m  using the Message Id field extracted from the original email headers. Is this correct? Is there any other way to obtain the message id? Wich is the expected format?

Thanks in advance!

 

Labels (2)
0 Karma
Reply

Topper
Engager
‎02-29-2024 02:00 PM

How did you go with this? I'm facing the same issue.

0 Karma
Reply

Samu
Explorer
‎03-06-2024 05:39 AM

I finally found the way.  To obtain the ID, it is required to launch the "run query" action first. In the action fields, set the email address in the email field and the clean Message ID in the query field. Do not select any other option, nor fill any other field. 

Samu_0-1709732167663.png

 

In the response you should see another ID base64 like format. This is the ID used to operate emails. Keep in mind that this ID changes everytime you perform any action over the email (moving it to a different folder for instance).

Hope this helps.

 

Tags (1)
Reply

Topper
Engager
‎03-11-2024 09:18 PM

I thank you for the help. Turns out we were ingesting the required ID, but the field was email Id not Message-ID.

It's also listed under the Event INFO in the container under Details Source ID:

Got there in the end. 

Topper_1-1710217037493.png

Thank you for the query though, wouldn't have found this without it. 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...