All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

EWS for O365 SOAR app. Message Id error.

Samu
Explorer
‎08-28-2023 04:55 AM

Hi all,

After running several actions from the EWS for O365 app (version 2.12.0) in phantom, the following error is received:

"API failed. Status code: ErrorInvalidIdMalformed. Message: Id is malformed.".

As per the app documentation, the expected field format for "Message ID" is not specified.

I´m  using the Message Id field extracted from the original email headers. Is this correct? Is there any other way to obtain the message id? Wich is the expected format?

Thanks in advance!

 

Labels (2)
0 Karma
Reply

Topper
Engager
‎02-29-2024 02:00 PM

How did you go with this? I'm facing the same issue.

0 Karma
Reply

Samu
Explorer
‎03-06-2024 05:39 AM

I finally found the way.  To obtain the ID, it is required to launch the "run query" action first. In the action fields, set the email address in the email field and the clean Message ID in the query field. Do not select any other option, nor fill any other field. 

Samu_0-1709732167663.png

 

In the response you should see another ID base64 like format. This is the ID used to operate emails. Keep in mind that this ID changes everytime you perform any action over the email (moving it to a different folder for instance).

Hope this helps.

 

Tags (1)
Reply

Topper
Engager
‎03-11-2024 09:18 PM

I thank you for the help. Turns out we were ingesting the required ID, but the field was email Id not Message-ID.

It's also listed under the Event INFO in the container under Details Source ID:

Got there in the end. 

Topper_1-1710217037493.png

Thank you for the query though, wouldn't have found this without it. 

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...