Splunk SOAR (f.k.a. Phantom)

O365 Integration for SOAR (Ingest emails?)

EdgeSync
Engager

Hi all,

Is there any app, method or guidance for ingesting emails directly form a O365 mailbox?

So a use case for us would be:

  • We have a mailbox which receives Phishing Reports
  • SOAR logs onto the mailbox, downloads the unread mails + turns them into "Events"
  • Playbook begins working on these events - checking URL's, checking to/from addresses, maybe further triage based on o365 logs or whatever
  • Detonate mail/attachments in Sandbox, capture networks/process/file related results, e.g. Cuckoo
  • Playbook decides if mail is okay, suspicious, or phishing (or integrates with another tool to get that information - e.g. Proofpoint
  • All information made available to the analyst who reviews

In order to kick these off we'd need to be able to INGEST the email to begin with, but don't see any way to do that at present.

If it doesn't exist I will write my own app for it - but don't want to reinvent the wheel if I don't have to 🙂

Thanks!

 

0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@EdgeSync there is an O365 App already that will be able to poll the inbox and create the necessary events:

https://my.phantom.us/4.10/docs/app_reference/phantom_office365 

Actions:
run query - Search emails
delete email - Delete emails
copy email - Copy an email to a folder
move email - Move an email to a folder
block sender - Add the sender email into the block list
unblock sender - Remove the sender email from the block list
get email - Get an email from the server
list addresses - Get the email addresses that make up a Distribution List
lookup email - Resolve an Alias name or email address, into mailboxes
update email - Update an email on the server
on poll - Action handler for the ingest functionality

The on-poll action is run outside of a playbook and can be scheduled in the asset settings under the "ingest setting" tab when creating the asset to communicate with the 365 servers. 

All you need is a playbook set to work on the label you assign to the ingested email events and if you want it to run automatically just set it to active and watch the magic 😄

Apps are also now available on splunkbase now too: https://splunkbase.splunk.com/app/5829/ 

View solution in original post

EdgeSync
Engager

@phanTom

This is an excellent start, thank you very much. I was searching in SOAR App's window and it's not there, and also checked splunkbase, but found nothing.

Best,

EdgeSync

0 Karma

phanTom
SplunkTrust
SplunkTrust

@EdgeSync there is an O365 App already that will be able to poll the inbox and create the necessary events:

https://my.phantom.us/4.10/docs/app_reference/phantom_office365 

Actions:
run query - Search emails
delete email - Delete emails
copy email - Copy an email to a folder
move email - Move an email to a folder
block sender - Add the sender email into the block list
unblock sender - Remove the sender email from the block list
get email - Get an email from the server
list addresses - Get the email addresses that make up a Distribution List
lookup email - Resolve an Alias name or email address, into mailboxes
update email - Update an email on the server
on poll - Action handler for the ingest functionality

The on-poll action is run outside of a playbook and can be scheduled in the asset settings under the "ingest setting" tab when creating the asset to communicate with the 365 servers. 

All you need is a playbook set to work on the label you assign to the ingested email events and if you want it to run automatically just set it to active and watch the magic 😄

Apps are also now available on splunkbase now too: https://splunkbase.splunk.com/app/5829/ 

View solution in original post

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!