Splunk SOAR
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to delete malicious email in all the company users' mailboxes?

drew19
Path Finder
‎09-12-2022 04:00 AM

Hi all,

is there a way to integrate with O365 and, given a malicious email (identified by subject and sender), search for it in all the mailboxes of all the users and then delete it?

I was looking for an action in the "EWS for Office 365 App" and in "MS Graph for Office 365" but I do not see any action able to do that. For instance, the "run query" actions require a precise mailbox to look into.

Thank you in advance.

0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎09-12-2022 06:44 AM

@drew19 if you can get the message id of the email from ANY inbox then you can just use the `delete email` action in the EWS app.

The message id is usually on the original email but depending how you report phishing you may not get the original id through so could run a query on 1 user's mailbox to find the id then pass into the delete action and as long as impersonation rights are there, AFAIK i should then delete all messages with that id in all mailboxes. 

Happy SOARing

----- If this helped fix it please mark as a solution to help others in the future -----

0 Karma
Reply

drew19
Path Finder
‎09-28-2022 03:42 AM

Hi @phanTom,

did you miss the last answer? Is there a way to understand if and how could we get all the email IDs related to a specific email (e.g. given a subject and a sender or pivoting on other elements - which ones in that case?).

Thank you in advance.

Andrea

0 Karma
Reply

drew19
Path Finder
‎09-12-2022 09:11 AM

Hi @phanTom ,

thank you for your reply.

 

This is not answering our question, so let me try to write it better.

Our target usecase is to:

1) Find all the users who have received an email with a particular subject/sender/string in the body and retrieving the related email IDs;

2) Delete such emails.

 

The (most important) point that seems not possible for now is the first one since when using the "run query" action from Exchange App you are required to specify the input field "email" that is the "User Mailbox to search in".
For this reason, we do not see any app/action for Phantom that could help us retrieving such IDs. Is there a way to do that?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...