Splunk Phantom

Issues with Microsoft Exchange On-Premise EWS polling



We are using Microsoft Exchange On-Premise EWS app version 2.0.29 (Upgraded from 2.0.17) and we are experiencing some issues with Polling.

First of all the "oldest first" parameter seems to work as "latest first" and the "latest first" works as "oldest first".

Secondly the Scheduled/interval polling is working this way (more or less in every single test I have made):

- First iteration: brings the Max emails per scheduled polling.

-Second iteration: brings the first iteration number of emails.

-Third iteration: brings the max emails per scheduled polling.

-After that it does not bring any more emails despite the fact that there are more pending emails to bring.


As well it seems that there is a cache when I try the same emails and there are some emails missing when I execute the Scheduled polling over the same set of emails.


Can you help please?


Thank you!


Labels (1)
0 Karma

Path Finder


Have you tried the previous version 1.0.105? We raised a support case for the latest version for similar issues and they are looking into a fix as the state file isn't filled out correctly.

Oldest first for us didn't work at all, so we had to use latest which puts everything out of order.

0 Karma



For app related issues, you can try reporting it Phantom Support / or to the developer of the App.

In the meantime, just revert to the working app version while the issue is being identified / fixed in the newer version.


0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!