Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

O365 Integration for SOAR (Ingest emails?)

EdgeSync
Engager
‎10-08-2021 03:49 AM

Hi all,

Is there any app, method or guidance for ingesting emails directly form a O365 mailbox?

So a use case for us would be:

  • We have a mailbox which receives Phishing Reports
  • SOAR logs onto the mailbox, downloads the unread mails + turns them into "Events"
  • Playbook begins working on these events - checking URL's, checking to/from addresses, maybe further triage based on o365 logs or whatever
  • Detonate mail/attachments in Sandbox, capture networks/process/file related results, e.g. Cuckoo
  • Playbook decides if mail is okay, suspicious, or phishing (or integrates with another tool to get that information - e.g. Proofpoint
  • All information made available to the analyst who reviews

In order to kick these off we'd need to be able to INGEST the email to begin with, but don't see any way to do that at present.

If it doesn't exist I will write my own app for it - but don't want to reinvent the wheel if I don't have to 🙂

Thanks!

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎10-08-2021 04:44 AM

@EdgeSync there is an O365 App already that will be able to poll the inbox and create the necessary events:

https://my.phantom.us/4.10/docs/app_reference/phantom_office365 

Actions:
run query - Search emails
delete email - Delete emails
copy email - Copy an email to a folder
move email - Move an email to a folder
block sender - Add the sender email into the block list
unblock sender - Remove the sender email from the block list
get email - Get an email from the server
list addresses - Get the email addresses that make up a Distribution List
lookup email - Resolve an Alias name or email address, into mailboxes
update email - Update an email on the server
on poll - Action handler for the ingest functionality

The on-poll action is run outside of a playbook and can be scheduled in the asset settings under the "ingest setting" tab when creating the asset to communicate with the 365 servers. 

All you need is a playbook set to work on the label you assign to the ingested email events and if you want it to run automatically just set it to active and watch the magic 😄

Apps are also now available on splunkbase now too: https://splunkbase.splunk.com/app/5829/ 

View solution in original post

Reply
Solved! Jump to solution

EdgeSync
Engager
‎10-08-2021 05:36 AM

@phanTom

This is an excellent start, thank you very much. I was searching in SOAR App's window and it's not there, and also checked splunkbase, but found nothing.

Best,

EdgeSync

0 Karma
Reply
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎10-08-2021 04:44 AM

@EdgeSync there is an O365 App already that will be able to poll the inbox and create the necessary events:

https://my.phantom.us/4.10/docs/app_reference/phantom_office365 

Actions:
run query - Search emails
delete email - Delete emails
copy email - Copy an email to a folder
move email - Move an email to a folder
block sender - Add the sender email into the block list
unblock sender - Remove the sender email from the block list
get email - Get an email from the server
list addresses - Get the email addresses that make up a Distribution List
lookup email - Resolve an Alias name or email address, into mailboxes
update email - Update an email on the server
on poll - Action handler for the ingest functionality

The on-poll action is run outside of a playbook and can be scheduled in the asset settings under the "ingest setting" tab when creating the asset to communicate with the 365 servers. 

All you need is a playbook set to work on the label you assign to the ingested email events and if you want it to run automatically just set it to active and watch the magic 😄

Apps are also now available on splunkbase now too: https://splunkbase.splunk.com/app/5829/ 

Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...