Splunk SOAR (f.k.a. Phantom)

Email ingestion from O365: Different artifacts generated from EWS and Graph apps?

Iñigo
Explorer

Hi all,

We use email ingestion as an input for several processes, mainly for phishing analysis.

So far we are ingesting from O365 through the EWS app but we are experiencing some issues so we want to migrate to ingestion through Graph API via the Graph app.

The thing is that comparing the artifacts generated at ingestion time for the same emails between the EWS app and the Graph app there are differences in the number of artifacts (sometimes more, sometimes less) and the CEF detail in those of "Email Artifact" type.

Even in the containers generated by the Graph app the different email artifacts created during ingestion (ex: from an email with other emails attached) have different structures, some of them similar or maybe equal to the CEF structure generated by the EWS and the Parser apps and some with a new structure exclusive of Graph generated artifacts.

Since the source of the emails is exactly the same and the output type is the same (Email Artifact) we expected the output content to be also the same.

There are differences not only in the output structure, but in the content also, mainly in the body content and its parsing.

 

Has anyone found any documentation explaining the parsing process and the output structure?

Any hints about the logic behind the different output data structures?

 

I'll mention some members who posted about related topics: @phanTom  @drew19  @EdgeSync @lluebeck_splunk

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...