Splunk SOAR (f.k.a. Phantom)

O365 Integration for SOAR (Ingest emails?)

EdgeSync
Engager

Hi all,

Is there any app, method or guidance for ingesting emails directly form a O365 mailbox?

So a use case for us would be:

  • We have a mailbox which receives Phishing Reports
  • SOAR logs onto the mailbox, downloads the unread mails + turns them into "Events"
  • Playbook begins working on these events - checking URL's, checking to/from addresses, maybe further triage based on o365 logs or whatever
  • Detonate mail/attachments in Sandbox, capture networks/process/file related results, e.g. Cuckoo
  • Playbook decides if mail is okay, suspicious, or phishing (or integrates with another tool to get that information - e.g. Proofpoint
  • All information made available to the analyst who reviews

In order to kick these off we'd need to be able to INGEST the email to begin with, but don't see any way to do that at present.

If it doesn't exist I will write my own app for it - but don't want to reinvent the wheel if I don't have to 🙂

Thanks!

 

0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@EdgeSync there is an O365 App already that will be able to poll the inbox and create the necessary events:

https://my.phantom.us/4.10/docs/app_reference/phantom_office365 

Actions:
run query - Search emails
delete email - Delete emails
copy email - Copy an email to a folder
move email - Move an email to a folder
block sender - Add the sender email into the block list
unblock sender - Remove the sender email from the block list
get email - Get an email from the server
list addresses - Get the email addresses that make up a Distribution List
lookup email - Resolve an Alias name or email address, into mailboxes
update email - Update an email on the server
on poll - Action handler for the ingest functionality

The on-poll action is run outside of a playbook and can be scheduled in the asset settings under the "ingest setting" tab when creating the asset to communicate with the 365 servers. 

All you need is a playbook set to work on the label you assign to the ingested email events and if you want it to run automatically just set it to active and watch the magic 😄

Apps are also now available on splunkbase now too: https://splunkbase.splunk.com/app/5829/ 

View solution in original post

EdgeSync
Engager

@phanTom

This is an excellent start, thank you very much. I was searching in SOAR App's window and it's not there, and also checked splunkbase, but found nothing.

Best,

EdgeSync

0 Karma

phanTom
SplunkTrust
SplunkTrust

@EdgeSync there is an O365 App already that will be able to poll the inbox and create the necessary events:

https://my.phantom.us/4.10/docs/app_reference/phantom_office365 

Actions:
run query - Search emails
delete email - Delete emails
copy email - Copy an email to a folder
move email - Move an email to a folder
block sender - Add the sender email into the block list
unblock sender - Remove the sender email from the block list
get email - Get an email from the server
list addresses - Get the email addresses that make up a Distribution List
lookup email - Resolve an Alias name or email address, into mailboxes
update email - Update an email on the server
on poll - Action handler for the ingest functionality

The on-poll action is run outside of a playbook and can be scheduled in the asset settings under the "ingest setting" tab when creating the asset to communicate with the 365 servers. 

All you need is a playbook set to work on the label you assign to the ingested email events and if you want it to run automatically just set it to active and watch the magic 😄

Apps are also now available on splunkbase now too: https://splunkbase.splunk.com/app/5829/ 

Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...